Embed Size (px)
Citation preview
DAN STEMATIU
2009
PR
OB
AB
ILIT
GRAVITY
NON ACCEPTABLE
CONDITIONALLY ACCEPTABLE
ACCEPTABLE
ACTION NECESSARY
ACTION VOLUNTARY
Y
2
Descrierea CIP a Bibliotecii Naţionale a României STEMATIU, DAN Dam Safety Management / Dan Stematiu – Bucurereşti: Conspress, 2009 Bibliogr. ISBN xxx-xxxx-xx-x xxx.xx Colecţia Carte Universitara
CONSPRESS
B-dul Lacul Tei nr. 124, sector 2, Bucureşti Tel: (021) 242 27 19 / 169; Fax: (021) 242 07 81
3
FOREWORD The present booklet is an addendum to Dam Engineering main textbook written by the same author. The aim of this supplement is to present the basic principles concerning dam safety assessment, risk evaluation and risk management and some general ideas on dam design based on probabilistic approach. A complete exposition of safety and risk issues related to dams cannot be contained in a booklet of this size. However, sufficient information is presented to give the reader a general picture of the problems involved. It will be necessary for the students who want to have a true picture of this rather difficult domain of dam safety management to consult additional books, papers and ICOLD bulletins. Dams are, without doubt, among the safest structures constructed by man. Indeed, dam engineers spare no effort in order to ensure that every dam is conceived, built and maintained according to the best experience, the most exacting criteria and the most advanced knowledge. And these efforts are, by and large, extremely successful. However, no matter how well a dam is built or maintained, the risk of failure cannot be reduced to zero. Dam failures are severe threats to life and property that fully justify the need for a better understanding of risks to the public posed by dams. The statistics confirm the improvement of dam safety in the last decades. The yearly probability of failure of a dam built at present is of the order of 10-5. But this low probability can be reduced still further by the common effort of the profession towards a better understanding and control of safety. That is the reason of the present work. The booklet consists of six chapters divided into sections, each of which deals with a certain theme related to dam safety. At the end of each chapter a short bibliographic list, which was effectively used, is included. The basic references are the ICOLD Bulletin 130, the papers of Kaare Hoeg, Harald Kreuzer, Pierre Londe, Gary Solomon and Raymond Steward and the book Safety and Risk in Hydraulic Structures written by Dan Stematiu and Stefan Ionescu. In the first chapter some introductory notions are included. Risk definition and the main purpose of risk analysis are presented as well as the limits of factor of safety approach. The trade-off between extra safety (reduced risk) and the increased use of society's resources is emphasized. A brief review of the reasons why dams fail and of risk factors follows. Lessons from past failures are also included. In the second chapter a brief classification of approaches to risk analysis is presented and the risk analysis concept is decomposed into its basics: quantitative risk analysis, evaluation of dam failure consequences and risk assessment. The next two chapters deal with the main factors of risk: dam failure probability and consequence. The probability of dam failure is computed by using various failure scenarios. Failure modes identification is treated as an essential step in the process. The main alternatives used for probability of failure evaluation – statistical data, event trees analysis and capacity-demand procedure – are briefly presented. Some comments regarding the difficulties in estimating uncertainty in numerical terms are included. The consequence assessment process is treated in the book in its logical
4
development: dam breach modelling, accidental flood routing and evaluation of loss of life and economic and environmental consequences. Risk management issue is presented in chapter five. Starting from the unanimously accepted concept that absolute safety is unattainable, because it would require the spending of an unlimited amount of society’s resources, conditions for the tolerability of risk are identified. Then the risk reduction vectors are individually treated. It is shown that regular monitoring of a dam's behaviour throughout its operating life is essential in ensuring safety. This does not require extensive instrumentation but a reasonable number of carefully selected types of monitoring sensors. The emergency preparedness side of risk reduction has as main objective to evacuate people before the catastrophe occurs to bring them to safety. The last chapter is dedicated to design strategies based on risk evaluation. The objective of this chapter is to focus attention to the new trends in dam design by presenting three branches of application: probabilistic approach is dam type selection, new guidelines for establishing extreme floods and earthquakes for dam design or safety evaluation based on tolerable levels of exposure and best strategy for monitoring improvement based on trade-off between cost and risk. The objectives of the author were to present clearly and concisely some principles related to dam safety and risk management. All the details have been kept to a minimum in order to achieve a better understanding of the subject. February 2009 Dan Stematiu
5
CONTENTS
1. INTRODUCTION ………………………………………………….……… 7
1.1. Risk definition ………………………………………………………………….. 7 1.2. Purpose of risk analysis …………………………………………… …………. 8 1.3. Limits of Factor of Safety approach ………………………………………….. 10 1.4. Leading Causes of Dam Failure ………………………………………………. 11 1.5. Risk factors …………………………………………………………………….. 13 1.6. Lessons from past failures …………………………………………………….. 13
1.6.1. St. Francis dam …………………………………………………………….. 13 1.6.2. Malpasset dam …………………………………………………………….. 15 1.6.3. Teton dam …………………………………………………………………. 17 1.6.4. Vajont dam ………………………………………………………………… 20 1.6.5. Banqiao dam ………………………………………………………………. 22 1.6.6. Belci dam ………………………………………………………………….. 23
Bibliography …………………………………………………………………………. 25
2. RISK ANALYSIS CONCEPT ………………………………………….. 27 2.1. Approaches to risk analysis …………………………………………………… 27 2.2. The basic concept of quantitative analysis …………………………………… 33 2.3. Dam failure consequences ……………………………………………………… 34 2.4. Risk assessment …………………………………………………………………. 35 Bibliography …………………………………………………………………………. 35
3. DAM FAILURE PROBABILITY …………………………………………... 37
3.1. Failure modes identification ………………………………………………….... 37 3.1.1. General …………………………………………………………………….. 37 3.1.2. Earth dam failures modes ………………………………………………… 37 3.1.3. Concrete dam failure modes ………………………………………………. 40 3.1.4. Failure modes related to floods …………………………………………… 41 3.1.5. Failure modes related to earthquakes ……………………………………… 42 3.1.6. Failure modes related to gate failures …………………………………….. 43
3.2. Failure probabilities based on statistical data ……………………………….. 44 3.3. Failure probabilities based on event trees ……………………........................ 46 3.4. Failure probabilities based on reliability analysis ……………………………. 51 3.5. Monte Carlo method …………………………………………………………… 58 3.6. Comments on probability of failure ………………………………………….. 58 Bibliography …………………………………………………………………………. 59
4. CONSEQUENCE ASSESSMENT ………………………………………... 61 4.1. Introduction …………………………………………………………………….. 61 4.2. Identifying consequences ………………………………………………………. 61 4.3. Dam breach modelling …………………………………………………………. 62 4.4. Flood routing ……………………………………………………………………. 64 4.5. Evaluation of consequences ……………………………………………………. 66
4.5.1. Loss of life ………………………………………………………………… 66 4.5.2. Economic consequences ………………………………………………….. 68 4.5.3. Environmental consequences……………………………………………… 69 4.5.4. Socio-economic and other consequences of dam failure …………………. 69
Bibliography …………………………………………………………………………. 70
6
5. RISK MANAGEMENT ………………………………………………………… 71 5.1. Introduction ……………………………………………………………………. 73 5.2. Tolerability and acceptance of risk …………………………………………… 74 5.3. Risk reduction ………………………………………………………………….. 78
5.3.1. Dam surveillance ………………………………………………………….. 79 5.3.2. Dam monitoring instrumentation ………………………………………….. 83 5.3.2. Emergency concept ………………………………………………………… 88
5.4. Risk treatment ………………………………………………………………..... 90 Bibliography …………………………………………………………………………. 92
6. DECISION STRATEGIES BASED ON RISK EVALUATION …. 94 6.1. Design criteria based on probabilistic approach …………………………….. 94 6.2. Consequence based dam safety criteria ………………………………………. 97 6.3. Dam monitoring improvement based on net expected benefit …………….. 101 Bibliography …………………………………………………………………….........108
7
1 INTRODUCTION
1.1. Risk definition Risk is a term of universal significance with several interpretations. In the traditional approach risk is the likelihood or probability of adverse consequences. According to International Comission on Large Dams (ICOLD) risk is a measure of the probability and severity of an adverse effect to life, health, property, or the environment. Risk is estimated by the mathematical expectation of the consequences of the adverse event occuring:
Risk = Probability of dam failure per year x consequences of realized failure. Alteratively, risk is estimated by the combined impact of all triplets of scenario, probability of occurrence and the associated consequence. For an identified scenario the probability of failure may be defined in terms of probability of load (external stress) times probability of adverse dam response (vulnerability to failure) to that load .
=
sponseGiven es Consequenc
xGiven Load
sponse Adverse of obability
x of Load
obabilityRisk
ReRe
PrPr
The risk may be total risk from all scenarios, or specific risks from individual random events such as floods, earthquakes, or other events such as piping or misoperation of spillway gates. Human error may contribute by increasing the probability of failure in some cases and magnifying the consequences in others. The total risk can be determined by summing the values from all scenarios. It is usually assumed that the outcomes for each event are mutually exclusive (i.e. there is no chance of combinations of more than one outcome) such that the risk can be computed by summing the individual pathway risk values. Even if the events are not always mutually exclusive, their probabilities in a dam safety context are generally small and the resulting joint probabilities have little impact on the accuracy of the computations. The consequences may be expressed in terms of life safety, a primary consideration in dam risk assessment, or in terms of socio-economic losses, corporate financial loss, or environmental damages. It is wise to maintain life safety distinct and separate from other consequences.
8
Failure. Failure is defined as the event in which the system fails to function with respect to its desired objectives. Reliability is defined as the complement of risk, i.e. the probability of non-failure. Failure can be grouped into either structural failure or performance failure. In the field of dams failure is the collapse or movement of part of a dam or part of its foundation, so that the dam cannot retain water. In general, a failure results in the release of large quantities of water. If we use the variable R for resistance and the variable L for load, then we can define a failure as when the load exceeds the resistance and the consequent probability of failure as the probability of the loading exceeding the resistance, P(L>R). Because many uncertain variables define both the resistance and loading, they are both considered as random variables. Probabilities of failure are usually expressed as annual probabilities of occurrence with units of (year)-1. The occurrence of floods and earthquakes are characterised using a relationship between peak discharge for floods and peak ground acceleration (or magnitude) for earthquakes vs. annual exceedance probability (AEP). Risk Management. Risk management is a comprehensive, dynamic strategy applied to the tasks of analyzing, evaluating, controlling, and administration of risks witch threaten the well-being of life and natural and socio-economic environment.
1.1. Purpose of risk analysis The risk analysis process involves the scientific characterisation of what is known and what is uncertain about the present and future performance of the dam under examination. It is a structured process aimed at estimating both the probability of failure of the dam or dam components and the extent of the consequences. The outputs of the risk analysis effort provide a sound basis for a rational protection of individual and society against dam failure. Society today, more than a relatively few years ago, demands that safety evaluations be carried out and documented for activities involving risks imposed by dams on the public (as opposed to voluntary risks). Similar demands apply to certification and re-certification of nuclear power plants, chemical plants, offshore structures, bridges and infrastructure in general. Dams are, without doubt, among the safest structures constructed by man. Indeed, dam engineers spare no effort in order to ensure that every dam is conceived, built and maintained according to the best experience, the most exacting criteria and the most advanced knowledge. And these efforts are, by and large, extremely successful. The main issue stands with the existing dams. More extensive floods records, and possibly changes in climatic conditions since the construction of a dam, necessitate updating of flood estimates and re-evaluation of dam safety. Significant changes in physical conditions both upstream and downstream since the dam was built require a review of the risks involved.
9
The main purpose of carrying out a risk analysis is to provide decision support. For many applications, the resulting numerical values do not have to be accurate in absolute terms, but must be inherently consistent so they allow reliable relative comparisons among alternatives. Going through such a systematic procedure gives insight which is an essential outcome in itself, and has didactic value for owner, operator, consultant and safety professional. The procedure pinpoints specific features and conditions of the dam and its operation where the largest risk reductions can be achieved. Dam engineering field has to move from the conventional safety-oriented perspective towards the risk-oriented perspective (figure 1.1). The safety-oriented perspective assumes no risk of failure, since a dam is built according to high design criteria. Consequently damage for humans, economics and the environment can be excluded with a degree of probability verging on certainty unlikely. However an absolute safety cannot be ensured technically. The risk-oriented view point takes a risk of failure into account. Thus the residual risk has to be determined, evaluated and managed even if failure seems unlikely.
Figure 1.1. Alternatives in dam safety approach (after K. Rettemeier & coll)
Risk analysis should not be limited to a few thousand large dams, but should be adapted to the tens of thousands of water storage or irrigation dams. As the owners of these have a low income and no technical knowledge, such risk analysis should be organized by authorities, as well as advice and rules for structural or non-structural measures. Risk analysis should take into account the fact that storage of usual floods in the reservoir favours occupation of the riverbed by people at risk for exceptional floods. For small dams, visual inspection and simple measurements, if well organized and reported, are not costly and are essential for safety; their cost is essentially bound with staff costs.
Damssafe
10
1.3. Limits of Factor of Safety approach The assessment of safety in civil engineering works is traditionally obtained through a deterministic approach. In order to take account of the many uncertainties and of the scatter in the data, and also to cover the fact that models are necessarily approximate, a "factor of safety" is introduced. The margin between the real state and the limiting equilibrium state, the latter being strictly adequate in the absence of all uncertainties, is measured by the "factor of safety", a scalar number supposed to lump together all imperfections in the data and the model. The numerical value of the factor of safety FS has been determined empirically for different types of materials. It is common practice, for example, to use FS = 1.50 in most of the stability analyses of geotechnical materials, soils or rocks. This numerical value has even been incorporated in many codes of practice, all over the world, the users claiming that a design which complies with such a standard is perfectly safe. Unfortunately this is not true. In the first place because the value of the factor of safety depends on the mathematical model used and the associated definition of the factor of safety. Any reference to the value of FS therefore must state the method used in computing it. What is worse is that a given computed factor of safety represents a whole spectrum of widely differing failure probabilities, depending on the uncertainties in the input data (scatter, number of tests, quality of investigations and measurements, etc.). True safety can thus lie anywhere over a broad range. Figure 1.2 is a simple but striking illustration of how the failure probability of an embankment may vary in a ratio of 1000/1 for the same factor of safety F = 1.50 if, for example, 5 instead of 20 tests are available (with the same scatter) or if the coefficient of variation of the test results increases from 0.10 to 0.30 (for the same number of 10 tests). It is totally unjustifiable to base the stability assessment on a single figure bearing no relationship to engineering reality.
Figure 1.2. Failure probability for a given safety factor vs. the test number and their
coefficient of variation (after P. Londe) In each instant of a dam's life, there will be a definite relationship between the 'load' acting on it and the 'ultimate load' of the same type that the dam is able to withstand.
11
However, this relationship, which it is identified with a 'safety factor', is a continuously changing function of time as loads vary and the dam ages. Fortunately, the profession is becoming increasingly aware of the serious shortcomings of the safety factor concept and is recognizing that, in one way or another, one must move over towards probability concepts, the only approach capable of handling the inevitable uncertainty in the input data. The school of reliability and risk analysis was born from this move. 1.4. Leading causes of dam failure Overtopping: 1/3 of all dam failures globally Overtopping occurs when the level of a reservoir exceeds the capacity or height of the dam. This can be caused by an inadequate or dysfunctional spillway or by local large settlement of the dam crest. Overtopping occurs when water levels rise rapidly and without adequate warning (for example, due to flash floods, heavy rains, a landslide in the reservoir that creates an impulse wave, or if a dam upstream collapses). The result can compromise the structural integrity of the dam or it can quickly erode the abutment on either side of the dam. In earthen dams the main cause of failure is erosion caused by overtopping. Foundation defects: 1/3 of all dam failures Defects can occur in the foundation supporting the dam. The foundation instability under seepage forces is the most common failure mechanism. Any event causing the movement of a foundation, such as an earthquake, can compromise a dam’s integrity. High uplift pressures and uncontrolled foundation seepage can also compromise the dam’s foundation. Piping and seepage: 1/5 of all dam failures. Embankment dams can be compromised when too much water seeps or leaks through the structure. Dam failure can occur when the structure becomes weakened from internal erosion, an effect referred to as piping. This can occur along hydraulic structures, spillways, conduits, or cracks. Such seepage or leakage can even be caused by an animal burrowing in and around earthen dams. Other reasons Dams which are improperly maintained or built with inadequate materials or unsound design can result in structural weaknesses that lead to catastrophic dam failure. 1.5. Risk factors A broad range of natural and human hazards exist that, taken separately or in combination, increase the probability of dam failure and bring injury to people and property. Structural Factors. The dam structure itself can be a source of risk due to possible design or construction flaws, the complexity of the dam and its appurtenant works, the age and condition of the dam, general foundation and abutment conditions, seepage development, construction material characteristics, and weaknesses which develop because of aging.
12
Poor embankment design or construction can lead to cracking or sliding of the soils which may result in the uncontrolled discharge of water. Poorly installed embankment materials or spillway structures can lead to serious soil piping or seepage, both of which can lead to uncontrolled loss of water. The site immediately surrounding the structure may also increase structural risk if the dam foundation is not treated properly or if excessive reservoir seepage erodes the foundation or abutments. The abutments and foundation may have inherent weaknesses in the form of faulting and rock condition, such as fractures, shear zones, relief jointing and solubility. Some embankment, foundation, or abutment materials have a potential for liquefaction to occur during seismic events. Reservoirs with initial adequate storage capacity can lose their ability to contain flood events by losing storage from sedimentation. Construction material characteristics such as permeability, erodibility, and strength also may present a risk to dam failure if they are inadequate for the dam loading conditions. As dams age, they tend to lose their strength through material deterioration, making them more susceptible to dam failure. Natural Factors. Natural adverse events such as floods from high precipitation and floods from upstream dam failures, earthquakes, landslides and sedimentation are also important contributors to risk. Floods from high precipitation are the most significant natural events that can impact dams and pose a hazard to people and property. Failure to account for these events has been costly both to dam owners and the public in general. Flash floods can happen anywhere, even in small watersheds. Therefore, flood potentials must be included in risk analyses for dam failure. When a natural flood occurs near a dam, the probability of failure and loss of life almost always increases. The sudden surge of water generated by a dam failure usually exceeds the maximum flood expected naturally; therefore, residences and businesses that would escape natural flooding can be at extreme risk from dam failure flooding. When one dam fails, the sudden surge of water may well be powerful enough to destroy another downstream dam, compounding the disaster. Earthquakes are also significant threats to dam safety. Both earthen and concrete dams can be damaged by ground motions caused by seismic activity. Cracks or seepage can develop, leading to immediate or delayed failure. Rock slides and landslides may impact dams directly by blocking a spillway or by eroding and weakening abutments. Indirectly, a large landslide into a reservoir behind a dam can cause an overflow wave which will exceed the capacity of the spillway and lead to failure. A land (or mud) slide can form a natural dam across a stream which can then be overtopped and fail. In turn, failure of such a natural dam could then cause the overtopping of a downstream dam or by itself cause damage equivalent to the failure of a human-made dam. Human Factors. Human behaviour is another element of dam failure risk; simple mistakes, operational mismanagement, unnecessary oversights, or destructive intent can interact with other hazards to compound the possibility of failure.
13
All sorts of other human behaviour should be included in risk analyses. Vandalism for example cannot be excluded and is, in fact, a problem faced by many dam owners. Vegetated surfaces of a dam embankment, mechanical equipment, manhole covers, and rock riprap are particularly susceptible to damage by people. Every precaution should be taken to limit access to a dam by unauthorized persons and vehicles. Mechanical equipment and associated control mechanisms should be protected from purposeful or inadvertent tampering. Detachable controls, such as handles and wheels, should be removed when not in use and stored inside the padlocked building. Another more common activity that poses a risk is the tendency for people to settle below dams. The construction of residences, buildings, and other structures in the potential flood inundation zone creates new risks, and will probably create increased risks in the future. Operating Factors. Operating factors that could pose a risk to dam failure, and thus, create a safety hazard to people and property include the remoteness and accessibility to the site, lack of operator training or experience, poor dam maintenance procedures, lack of an inspection program, reliability of power for electrical equipment, and the complexity of the equipment and operating procedures at the dam. 1.6. Lessons from past failures 1.6.1. St. Francis dam St. Francis Dam was a 60 m high concrete gravity-arch dam constructed by the City of Los Angeles between 1924 and 1926 (figure 1.3).
Figure 1.3. Cross section and downstream view of the former St. Francis dam
59 m
River bed elevation
Downstream steps
Uplift relief wells
42 m
14
The dam failed catastrophically on March 12-13, 1928, killing at least 420 people, making it the worst American civil engineering failure of the 20th Century. Just downstream of the dam the maximum depth of the flood was about 42 m. The average velocity in this reach was about 28 km/hour. Massive blocks of concrete, weighing as much as 10,000 tons, moved as much as 1.2 km downstream. The sequences of the failure are presented in figure 1.4.
Figure 1.4. Failure of St. Francis dam
15
The dam was not designed to incorporate the contribution of arching to its stability. There was no consideration of saturation of the concrete or of hydraulic uplift, which reduces the effective weight of the dam. Originally intended to be 54 m high in May 1923, it was decided to raise dam 3 m in July 1924, shortly after construction began. Another 3 m of height was added in July 1925 This raised the height of the dam by 11% without increasing the base width. A conventional analysis of cantilever stresses in St. Francis Dam assuming full uplift reveals that the dam becomes unstable in overturning when the reservoir rose to within 2 m of its crest! The main section of the St. Francis Dam was constructed with 10 uplift relief wells set in two rows, as shown in figure 1.4. This portion of the dam did not fail, only the sloping abutments, which did not have uplift relief wells. Full uplift may have developed beneath the sloping abutments, which were not afforded uplift relief wells. However, main cause of failure was the large deformation of the geologic formation in the left abutment and piping of its material along the fault. A massive landslide of the dam’s eastern abutment initiated the failure and the entirety of the dam’s left abutment was carried across the downstream face of the main dam. It appears that the landslide happened first, not last. The failure also involved the reactivation of an ancient bedrock landslide which comprised the dam entire left abutment. Additionally, post failure images show a massive tension crack at the dam upstream heel revealing that the dam heel was in tension and tilting downstream when the dam failed. . 1.6.2. Malpasset dam Malpasset dam was an arch dam with a height of 66 m and with 220 m long crest at its crown (figure 1.5). The dam was commissioned in 1954 and it was the thinnest arch dam of its size in the world when it was completed. It was not, however, the fragile dam itself that failed. Instead, failure started in the clay seems of a fault in the rock near the dam left abutment.
Figure 1.5. Malpasset dam at commissioning
16
Dam failure occurred at 21:13 on the 29th November 1959. This was the first collapse of a concrete arch dam. When the collapse occurred, the dam was subjected to a record head of water, which was just about 0.3 m below the highest water level, resulting from 5 days of unprecedented rainfall. The failure was caused by the outburst of a rock block on the left abutment as consequence of high water pressure acting on the less pervious rock mass subjected to large compressive stresses. Geological foliation at left abutment almost parallel to the arch thrust of the dam has created the premises of a stress dependent permeability of the rock. The failure occurred as the arch ruptured when the left abutment gave away. The dam body was left without support on the left abutment and failed in tension (figure 1.6). Failure of left abutment caused uplift and rotation about the right abutment. The water marks left by the wave revealed that the release of water was almost at once.
Figure 1.6. Failure mechanism and the remains of the dam
A more detailed definition of the unstable block (wedge) and of the loads acting on the wedge prior the failure are presented in the figure 1.7, left side. Two large sets of faults created a ‘wedge failure’ at the left abutment. The condition of the left abutment after failure is presented in the same figure, right side. 50,000,000 m3 of water were released. Wave overflowed the banks but followed valley where a tremendous wall of water submerged the spurs of the valley. The wave induced flooding in city of Frejus located 7 km downstream. Wave killed 423 people instantly. The damage was estimated at 68 million US dollars.
PLAN VIEW Removed rock block
PLAN VIEW
17
Figure 1.7. Wedge on the left abutment
1.6.3. Teton dam Teton Dam was constructed by the US Bureau of Reclamation across the Teton River approximately 64 km northeast of Idaho Falls. It was an earth fill dam that had 122 m high creating a 27.4 km long reservoir with a 333 Mm3 capacity. The construction work commenced in June 1972 and the dam was completed and first filling started in November 1975. The dam was designed as a zoned earth and gravel fill embankment, having slopes of 3.5 H: 1 V on the upstream and 2 H: 1 V and 3 H: 1 V on the downstream, a height above the bed rock of 126 m, and a 945 m long crest. The hydraulic was 93 m. The crest width was 12 m. The cofferdam was incorporated into upstream shell (figure 1.8). The embankment material consisted of clayey silt, sand, and rock fragments taken from excavations and burrow areas of the river's canyon area. It had a compacted central core. Narrow trenches 21 m deep, excavated in rock and compacted with sandy silt and a deep grout curtain beneath a grout cap were the measures taken to control the foundation seepage. Teton dam was located in a steep-walled canyon cut by the Teton River into a volcanic plateau. The bedrock on site was tertiary rhyolite welded-tuff, which is strongly jointed, with joint widths varying at different elevations typically between 0.8 and 7.5 cm but with occasional joints up to 30 … 40 cm wide.
18
Figure 1.8. Cross sections of Teton dam
Percolation tests and pumping tests revealed that the joints were capable of transmitting large volumes of water. These investigations indicated the presence of an extensive interconnecting system of joints, which made the rock extremely permeable and indicated the need to seal the joints in order to reduce the leakage to acceptable quantities. Since the amount of grout needed was a tremendous amount, it was concluded that it would be more economical to remove the top 20 … 25 m of rock in the abutments and incorporate a deep key trench to prevent seepage. The dam failed during its first filling on June 5, 1976, releasing 308 million m3 of reservoir water. A flood at an estimated peak discharge in excess of 28,300 m3/s had occurred. A breach 46 m wide at its bottom and 79 m deep had formed. The time of failure was recorded as four hours. The cause of failure was attributed to piping progressing at a rapid rate through the body of the embankment. The main findings suggested that erosion on the underside of the core zone by excessive leakage through and over the grout curtain was the cause of destruction.
MAIN CROSS SECTION
CROSS SECTION WHERE FAILED STARTED
ZONE 1
19
Sequences of failure are presented in figure 1.9. Earlier on the day of failure, leaks were observed about 30 m below the top of the dam. After four hours, efforts to fill the holes failed and the dam breached by the noon time.
Figure 1.9. Sequences of the failure process The fundamental cause of failure was regarded as a combination of geological factors and design decisions, which taken together allowed the failure to occur. Numerous open joints in abutment rock and scarcity of more suitable materials for the impervious zone were pointed out as the main causes for the failure of the dam. Furthermore, the deep key trenches developed arch action that induced cracking and
Leaks at downstream face
Breach development
20
hydraulic fracturing of material for impervious zone. These were also attributed as possible causes of failure. The dam failure had an extremely low death toll, of only 11 deaths, due to very efficient early warning systems. However, 25,000 people were left homeless, 2 towns were destroyed, 20,000 head of cattle killed and the power plant at dam toe was destroyed. $1 Billion was spent for cleanup over several years. The dam was never rebuilt. 1.6.4. Vajont dam Vajont Dam built across the Vajont Valley, is an arch dam 262 m high, located in the Dolomite Region of the Italian Alps, about 100 km north of Venice. The chord of the dam was 160 m, and the volume of impounded water was 115 million m3. Dam structure is slender, according to the very favourable site (a deep, narrow gorge) and is provided with a pulvino joint (figure 1.10). The dam, one of the highest in the world, was completed in 1961 and used to generate hydropower.
Figure 1.10. Vajont dam - characteristic cross sections The Vajont reservoir disaster is a classic example of the consequences of the landslides of the reservoir banks. During the filling of the reservoir a block of approximately 270 million m3 detached from one wall and slid into the lake at velocities of up to 30 m/s (approx. 110 km/hour). As a result a wave overtopped the dam by 245 m and swept onto the valley below. The water, estimated to have had a volume of about 30 million m3, then fell more than 500 m onto the villages of Longarone, Pirago, Villanova, Rivalta and Fae, totally decimating them. A total 2500 lives were lost. Remarkably the dam remained unbroken by the flood. The by-pass tunnel is still used for the generation of hydropower (figure 1.11).
21
Figure 1.11. Vajont dam and reservoir after landslide It appears that during the construction of the dam the chief engineer was concerned about the stability of the left bank of the dam, and a number of reports were compiled on this during 1958 and 1959, which identified a possible prehistoric slide on the right bank. It was concluded that deep-seated landslides were extremely unlikely. However, before final completion of the dam, on 4 November 1960, with the depth of the reservoir of 180 m, a large failure occurred when 700 000 m3 of material slid into the lake in about ten minutes. As a result the level of the reservoir was gently dropped back to 135 m. It was realized that additional and even larger landslides could lead to the blockage of that section of the reservoir. However the volume of water in the unblocked (upstream) section would still be sufficient to allow the generation of electricity. Hence a bypass tunnel was constructed on the opposite (right) bank such that if the reservoir was divided into two sections the level of the lake could still be controlled. It was assumed that by elevating the level of the reservoir in a careful manner movement of the large landslide mass could be initiated. The rate of movement could be controlled by altering the level of the reservoir such as the over-topping of the dam would be avoided. From the beginning of October 1961 two raise and drawdown cycles were conducted, keeping the slide velocities in the range of 2 … 3 cm /day. At 22:38 GMT on October 9 1963 catastrophic failure of the landslide occurred. Failure occurred in a brittle
Slide mass
Sliding surface
mass
Vajont dam
22
manner, inducing catastrophic loss of strength. A schematic cross-section through the Vajont valley after the landslide is presented in figure 1.12. A wave of water was pushed up the opposite bank and destroyed the village of Casso, 260 m above reservoir level, before over-topping the dam by up to 245 m.
Figure 1.12. Schematic cross-section through the Vajont valley
1.6.5. Banqiao dam The Banqiao dam was built in the early 1950s on the Ru River as part of a project to control flooding and generate electricity and as a response to severe flooding in the Huai River Basin in 1949 and 1950. The dam was 118 meters high and had a storage capacity of 492 million m3 with 375 million m3 reserved for flood storage. The Dam was designed to survive a 1-in-1,000-year flood (306 millimetres of rainfall per day). In August of 1975, however, a 1-in-2,000 year flood occurred, poured more than a year's rainfall in 24 hours (new records were set, at 189.5 millimetres rainfall per hour and 1,060 millimetres per day, exceeding the average annual precipitation of about 800 millimetres) which weather forecasts failed to predict. Communication to the dam was largely lost due to the collapse of buildings under heavy rain and wire failures. The sluice gates were not able to handle the overflow of water, partially due to sedimentation blockage. On August 6, a request to breach the dam was rejected, because of the existing flood in downstream areas. On August 7 at 7:30 p.m. it was sent the first dam failure warning via telegraph. On August 8, 12:30 a.m., the smaller Shimantan Dam, that was designed to survive a 1-in-500-year flood, failed to handle more than twice its capacity and broke upstream. A half hour later, at 1:00 a.m., water overtopped the Banqiao dam and it too failed (figure 1.13). The dambreak wave was 78,800 m3/s, and 701 million tons of water was released in 6 hours. This precipitated the failure of 62 dams in total. The resulting flood waters rush downwards into the plains below at nearly 50 km/ hour, and almost wiped out an area 55 kilometers long, 15 kilometers wide, and created temporary lakes as large as 12,000 square kilometers. Seven county seats were inundated, as were thousands of square kilometers of countryside and countless communities. Evacuation orders had not been fully delivered because of weather
23
conditions and poor communications. While only 827 out of 6,000 people died in the evacuated community of Shahedian just below Banqiao Dam, half of a total of 36,000 people died in the unevacuated Wencheng commune of Suipin County.
Figure 1.13. Banqiao Dam after the failure To protect other dams from failure, several flood diversion areas were evacuated and inundated, and several dams deliberately destroyed by air strikes to release water in desired directions. Many of the dams have been rebuilt, including Banqiao in 1993 and Shimantan in 1996. In 2005, Typhoon Haitang approached China and dropped heavy rains in the area but did minimal damage to dams. 1.6.6. Belci dam Belci Dam, a clay core earthfill structure, was located on the Tazlau River in northeast Romania. The dam was a clay core earthfill, of 18 m maximum height and a 240,000 m3 fill volume (figure 1.14). The spillway consisted of four overflowing bays equipped with 2.5 x 11 m flap gates. The two central openings were provided with bottom outlets, equipped with 2.5 x 11 radial gates. During the 29 years of existence of the dam a series of significant floods were successfully routed through the reservoir. During the night of July 28-29, 1991, torrential rainfall of an exceptional magnitude occurred. The supply of electricity to the dam failed, preventing the full opening of the gates. One radial gate had been lifted by only 40 centimetres at the time of the power outage, and the other radial gate never opened. Dam operating personnel tried to unblock and lower the flaps manually. After the dam failure, it was found that three of the four flap gates remained blocked.
24
Figure 1.14. Belci dam before the failure The failure has developed in two phases. The first failure occurred by superficial erosion and downstream slope sliding. A breach of 80 m wide and 3 to 4 m deep was created. The second failure correspond to an enlargement of the prime breach to 100 m and deepening of it to about 6.5 m, limited by the siltation level in the reservoir (figure 1.15). The peak inflow to the reservoir was about 2,200 m3/s, and the peak outflow from dam failure was about 3,000 m3/s.
spillway bay with bottom outlet
spillway bay with flap gate only
25
Figure 1.15. The breach in Belci dam The flood and the resulting dam failure had disastrous consequences. Slobozia, a village 2 kilometres downstream from the dam, was largely destroyed; 17 lives were lost, 119 houses were completely destroyed, and 24 houses were damaged. The main flooding of Slobozia occurred at 06:30 hours. Warning was initiated at 02:15 hours, approximately 4 hours before the main flood hit Slobozia. However, the warning of the population downstream on the night of the accident was not sufficiently vigorous or efficient. The peak reservoir inflow was nearly 75 percent of the dam failure outflow, so even in the absence of dam failure, major downstream losses probably would have occurred. The exceptional torrential rainfall caused widespread damage to the whole of Bacau County. A total of 78 people were killed, and 19 were reported missing. BIBLIOGRAPHY Bernaix , J., (1967). Etude géotechnique de la roche de Malpasset. Thêse. Dunod, Paris. Bureau of Reclamation. (2002). Spillway Gate Failure or Misoperation: Representative Case Histories. Water Operation and Maintenance Bulletin. No. 202. Denver. Burrows, S. (2003). The Malpasset Dam Failure. Power Point Presentation. Diacon, A., Stematiu, D., Mircea, N. (1992). An analysis of the Belci dam failure. Water Power and Dam Construction, Vol. 44, Nr.9, Sept.
Spillway
Final breach
26
Federal Emergency Management Agency (2006). Why Dams Fail? www.fema.gov /hazard/dam failure. Hoeg, K. (1998). New dam safety legislation and the use of risk analysis. Hydropower and Dams, Issue 5. Hendron, A., Patten, F. (1985). The Vaiont slide. Felsmehanik und Ingeneur-geologie, N0.2. Kreuzer, H. (2000). Risk analysis for existing dams: merits and limits of credibility. Hydropower and Dams, Issue one. Lemperiere, E. (2002). Non-structural measures for cost-effective risk reduction. Hydropower and Dams, Issue four.
Londe, P. (1993). Safety evaluation using reliability analysis. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
Panet , M. (1976). La mécanique des roches appliquée aux ouvrages du génie civil. L'Ecole Nationale des Ponts et Chaussées. Rettemeier, K. (2000). Risk Assessment- New Trends in Germany. Proceedings of 20th ICOLD Congress, Q76, R41, Beijing. Robby, W., Burke, K., McLaren, M., Wolfe, J. (2002). Failure of Teton dam: geotechnical aspects. Water Power and Dam Construction, Vol. 54, Nr.7, July. Rogers, D., Hasselmann, K. (2006). Reassessment of the St. Francis dam failure. Power Point Presentation. University of Missouri-Rolla Stematiu, D., Ionescu, St. (1992). Probability of failure: a useful concept in design practice. Dam Engineering, Volume 3, Issue 1, February. Stematiu, D., Ionescu, St. (1992). Safety and risk in hydraulic structures (in Romanian). Editura Didactica si Pedagogica, Bucharest. Vrijling, J. (1996). Safe dams and dikes, how safe? Publication of Delft University of Technology, The Netherlands. Yi Si, (1998). The World's Most Catastrophic Dam Failures: The August 1975 Collapse of the Banqiao and Shimantan Dams. The River Dragon Has Come!: Three Gorges Dam and the Fate of China's Yangtze River and Its People. New York.
27
2. RISK ANALYSIS CONCEPT
2.1. Approaches to risk analysis
Risk analysis processes can be grouped into three categories: Standards-based, Qualitative and Quantitative. Under standards-based approach (SBA) risk analysis is not carried out explicitly. Rather, consideration of risk is implied through the selection of the design loads for normal and unlikely events and of the safety coefficients based on a certain classification scheme. Usually, any dam classification reflects the dam and reservoir characteristics and the relative severity of the consequences of dam failure. Qualitative approaches consider risk more explicitly than the standards-based approach without characterising the uncertainty in mathematical (probabilistic) form. The simplest of these techniques are indexing and ranking schemes that consider the extent to which there is concern about the safety of dams and the consequences of their failure for one or all of the following purposes: • setting monitoring and surveillance programs; • prioritising more detailed studies and; • dam safety improvements. Failure Modes and Effects Analysis (FMEA) is a formal qualitative risk analysis technique. Interpreting the results of the FMEA may require some measure that describes severity, importance, criticality, potential to occur, etc. Expressing the combination of frequency and severity as a "criticality" is one way to provide a metric. This is achieved by extending the FMEA to include criticality considerations through Failure Modes, Effects and Criticality Analysis (FMECA). Failure Modes and Effects Analysis process is descriptive and qualitative and provides the engineers a comprehensive understanding of the dam. The process is aimed at systematically developing a picture of the dam system, its components and their interactions, and presenting details of how component failure could lead to dam failure, the magnitudes of the failure effects and the criticality of the various components in preventing the risks from materializing. The term "system" is used in a general sense and its definition is a matter of modelling convenience. Where relevant, it can and should include a series of dams in "cascade" on the one river basin. It refers to a group of interacting, interrelated, and interdependent elements that form the complex whole. The dam/reservoir/river basin system is an example (figure 2.1).
28
Figure 2.1. Functional model of a dam / reservoir / river basin system (after ICOLD 130 Bull.)
Dams also may be represented as systems, and even subdivided into sub-systems all the way down to basic components (e.g., earth core, filters, grout curtain and rip-rap protection as in figure 2.2). Since the function of a dam as a whole is to retain water (with some allowable seepage), the functional failure of a dam occurs when, for example, the system ceases to retain water (which can include severe leakage).
Figure 2.2. System components of a fill dam (after ICOLD 130 Bull.) Failure Mode, Effects and Criticality Analysis is an extension of the FMEA by including the probability of occurrence and consequence to the system for each failure mode. It provides a means of ranking the failure modes in terms of an index of risk that incorporate representations of probability and consequences. This creates a sound basis for prioritizing corrective or remedial actions. The dam system components that are involved in starting certain failure mechanisms are identified. The extent to which the damage of the given component may contribute to the dam failure is characterized by a criticality (gravity) index IG:
Outflow
29
IG = CM • PC • DC
where: - CM is a partial index that expresses the component share in the failure mechanism; - PC is a partial index that expresses the component failure probability; - DC is a partial index that expresses the extent to which the component failure may be detected in advance. Each partial index is evaluated on a scale from 1 to 5. The maximum value of the criticality index IG =125 corresponds to the component, the failure of which has an extremely important effect in starting the breaching mechanism (CM=5), its failure is most likely (PC=5) and, at the same time, it is very difficult to detect in advance (DC=5).
An example is presented in the followings based on figure 2.3 and table 2.1. It is the case of Aurul tailings pond.
Figure 2.3. Aurul tailings pond The components that may be the potential causes of the failure are presented in the table. For example, the reduction of the freeboard leads undoubtedly to the dike breaching (CM=5) and the probability of such an event occurring is relatively high (PC=4). However, it is not difficult to detect such a situation (DC = 1). As far as the water collection system is concerned, its failure leads to the tailings dike breaching due to the excessive volume and level of the accumulated water (CM=5). The failure probability is medium (PC = 3), but the detection in advance, to permit useful interventions, is rather difficult (DC = 4). Likewise, the indices for the rest of the components have been established.
30
Table 2.1: Evaluation of gravity indices for safety parameters and pond components
Parameter or component
CM PC DC IG= CM⋅PC⋅DC
Freeboard Beach width Downstream slope Material granulometry of dikes Water collecting system Drainage system Pumping station Pond-plant pipes
5 4 5 3 5 5 2 3
4 4 4 4 3 2 3 4
1 1 1 3 4 4 1 2
20 16 20 36 60 40 6 24
As can be observed, the water collection system has a maximum criticality index and as a consequence the maintenance of the penstock and associated pipes has first priority Quantitative approaches include formal reliability analysis methods, quantitative event tree and fault tree models of system failures and associated consequences. Event tree and fault tree methods may include the use of various simulation and reliability analysis methods. A fully quantitative and scientific risk analysis would require: • complete identification of the physical features of the dam - foundation - reservoir
system and the natural conditions that cause system response; • identification of failure mechanisms; • use of physical laws and engineering relationships within and amongst mechanisms. The output of such a fully quantitative risk analysis is a measure of the risk that includes complete mathematical specification of the uncertainty in the estimate. In a reliability analysis it is necessary to establish the chance that a given load or distribution of loads is greater than, or equal to, the capacity of the structure to resist load; or, in other words, the chance of failure. The analyses require estimates of means and standard deviations for loads and strength parameters. Risk estimation incorporates failure probability along with consequence magnitude and associated probability. Once the failure modes have been identified event trees and/or fault trees can be utilized to provide the framework for determination of the failure probabilities. The connection between a fault tree and the corresponding event tree is presented in figure 2.4. On the left side the fault tree investigates the conditions and factors that can contribute to dam failure (called the top event). On the right side the event tree identifies the possible outcomes, and if required their probabilities, given the occurrence of the top event. Event trees are currently most commonly used for analysis of dams.
31
Figure 2.4. Schematic fault and event tree connection Event Tree Analysis is a technique, either qualitative or quantitative, that is used to identify the possible outcomes, and if required their probabilities, given the occurrence of an initiating event. Event Tree Analysis is an inductive type of analysis where the basic question that is addressed is "What happens if..." e.g., "What happens if there are high inflows?" An example of an event tree for one failure mode for a dam subjected to a flood hazard is illustrated in figure 2.5.
Figure 2.5. Example of a quantitative Event Tree Analysis (after ICOLD 130 Bull) In dam safety applications, Event Tree Analysis reveals the relationship between the functioning and failure of various mitigating systems and it is useful for identifying
„TOP“EVENT
CAUSES CONSEQUENCE
(DAM FAILURE)
SCENARIO 1 SCENARIO 2
1
2
3
4
5
6
7
FAULT TREE EVENT TREE
32
events that require further analysis using fault tree techniques (i.e. individual event tree branches become the top events of the fault trees). Fault Tree Analysis is a technique, either qualitative or quantitative, by which conditions and factors that can contribute to a specified undesired event (called the top event) are deductively identified, organized in a logical manner and represented pictorially. The faults identified in the tree can be events that are associated with component hardware failures, human error or any other pertinent event that leads to the undesired outcome (e.g. dam overtopped). Starting with the top event, the possible causes or failure modes on the next lower functional system level are identified. Following the step-by-step identification of undesirable system operation to successively lower system levels will lead to the desired system level, which is the failure mode. A conceptual example of a fault tree for the failure of the downstream slope of an earth dam is presented in figure 2.6. A special kind of risk analysis is Portfolio Risk Analysis. The risk analysis does not refer to a certain dam but to a portfolio of dams belonging to the same owner. The method is “judgmental” technique and a decision analysis which results in a prioritization listing for dam safety actions within the portfolio of dams. The portfolio risk analysis generally seeks to determine where maximum utility may be gained for limited risk reduction amount of money, and as such it has been found to be a beneficial framework for some owners.
P42=10-6P21=10-4
Sliding of DS slope
Low shear strength
Steeper slope
Rise of seepage line
Shell saturation
Lack of compaction
Fill non- homogeneity
Storm event
Rapid snow melting
Damage of US watertightening
Drainage clogging
Anisotrpic fill permeability
Pf = 3.23 x 10-4
P1=10-4 P2=1.1x10-4 P3=1.11x10-4 P4=2 x10-6
30.9% 0.1% 34.4% 34.6%
OR
OR OR
P22 =10-5 P41=10-6
P31=10-5 P32=10-6 P33=10-4
Figure 2.6. Example of a fault tree: slope sliding
33
As for model selection, there is the problem of balancing its refinement with the amount of information available to create the model, see figure 2.5. The results from event trees are more reliable if available data allow quantitative approaches. However, to apply such an approach needs scrutiny of data and success in finding them. Any 'unbalanced' input renders results of little practical relevance. This is damaging for the credibility of risk analyses.
Figure 2.5. Hierarchy of risk analysis approaches: model selection versus level of information (after H. Kreuzer)
2.2. The basic concept of quantitative analysis The basic concept is presented on the basis of figure 2.6. The 'primary failure causes' are adverse events imposing on the dam. They trigger a response of the dam defined as 'hazardous conditions'. Grouped in scenarios, the probabilities of failure, here P1 to P4, are obtained from event trees or reliability analysis. The total probability of failure is the sum of failure probabilities corresponding to each scenario. An assessment of consequences renders the risk of each scenario, R1, to R4, first in terms of probabilities and then in monetary units. In an actual analysis, the blocks of figure 2.6 would be replaced by a diagram of more detailed interconnected events, for example, by an event tree.
34
Figure 2.6. Cause-consequence analysis for dam safety evaluation (after H. Kreuzer)
2.3. Dam failure consequences Dam failure consequences are typically grouped into two main categories: direct damages due to contact with the floodwaters, and indirect damages that result from the direct damages. The direct damages are predominantly loss of life, physical loss/damage to property and infrastructure, and environmental degradation. Indirect damages (such as costs of emergency response, loss of production, personal grief, societal trauma and loss of confidence in public institutions) cover a wide range of complex social, economic and environmental considerations that require the input of specialist professionals. There are various classification systems for further sub-
35
dividing consequences, and the associated risks, usually according to type (such as life safety, economic/financial, environmental, and intangible) and the group that bears the risk (dam owner, population at risk, and community - at local, regional or national level). The estimation of the uncertainties associated with dam failure consequences poses immense difficulties because the scenarios that must be modelled are unique, complex and poorly understood. 2.4. Risk assessment Risk assessment is the process where the understanding of the risk (Risk Analysis) is compared to societal tolerated risks of a similar nature (Risk Evaluation), allowing a decision regarding the requirements for control of the risk. The decision may involve consideration of legislated requirements, codes and standards, good practice, engineering judgement, risk based analysis and societal values and expectations. As the dam safety profession has matured since the 1970’s it has realised that although traditional practice has served well it may not provide a comprehensive view of all the risks. Examples would be the influence of human error contributing to dam risks, the contribution of lesser but more frequent flood events to dam flood risks, the risk of long term piping in embankment dams due to inadequate filters.
BIBLIOGRAPHY Bureau of Reclamation. (2003). Dam Safety Risk Analysis Methodology. Technical Service Center. Denver, Colorado
Hartford, D., Baecher, G. (2004). Risk and uncertainty in dam safety. Thomas Telford. London.
Hoeg, K. (1998). New dam safety legislation and the use of risk analysis. Hydropower and Dams, Issue 5. ICOLD. (2006). Risk Assessment in Dam Safety Management. ICOLD Bulletin 130. Paris. Kreuzer, H. (2000). Risk analysis for existing dams: merits and limits of credibility. Hydropower and Dams, Issue one. Lafitte, R. (1993). Probabilistic risk analysis of large dams. Water Power and Dam Construction. 45.
Londe, P. (1993). Safety evaluation using reliability analysis. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
36
Nielson, N., Vick, S., Hartford, D. (1994). Risk Analysis in British Columbia. International Water Power and Dam Construction, March.
Slunga, E. (2001). Concept and bases of risk analysis for dams with an example application on Kyrkösjärvi dam. RESCDAM-project report. Helsinki University of Technology Stematiu, D., Brauns, J. (2003). Safety Evaluation of Aurul Tailings Pond following the Remedial Measures after the January 2000 Accident. Proc. of International Symposium on Major Challenges in Tailings Dams, Montreal, June, 2003. Vick, S. (1997). Dam safety risk assessment: new directions. Water Power and Dam Construction .49, July.
37
3. DAM FAILURE PROBABILITY
3.1. Failure modes identification 3.1.1. General A failure mode describes how the failure of a certain dam element or component must occur to cause dam system failure. In this regard, failure modes are not unique features of the dam system but artefacts of how the dam system is modelled. In general, the dam system is broken down into sub-systems (dam structure, foundation, spillway, mechanical equipment, stilling basin etc) to a level where there is a thorough understanding of the failure modes of the elementary sub-systems. General failure mode categories can be prepared for dams but these general categories are often too general for definitive analysis. For example, failure modes of earthfill dams can be broadly categorised in terms of: hydraulic overtopping, internal erosion/piping, mass movement and slope instability. These general categories of failure modes are usually too broad for definitive analysis and should be expanded by going deeper into the system and carrying out the analysis at a more basic level. Each failure mode can be due to one or more hazards or failure mode initiators. Typically for dams, these failure mode initiators are extreme storms, earthquakes, design and construction flaws in conjunction with normal hydraulic loads, and human agency (mis-operation, sabotage etc.). Identification of hazards may be relatively straightforward. However, identification of internal failure causes may not be so straightforward and may involve consideration of interactions between failure modes of one sub-system, failure mechanisms of another sub-system and failure effects of a third subsystem and so on. A failure mechanism describes the physical processes and states that must occur, in accordance with natural laws, for the failure mode to progress from failure mode initiation (cause) through to the realisation of ultimate failure effect of interest. Taken as an initiating event the clogging of the drainage system of an earth dam, the seepage line raising has to be in accordance to permeability characteristics and embankment zoning of that particular dam and the shear strength water content dependency of its fill material in order to induce the sliding of the downstream slope. 3.1.2. Earth dam failures modes Earth dam failures modes can be grouped into three general categories: overtopping failures, seepage failures, and structural failures. A brief discussion of each type follows.
38
Overtopping Failures Overtopping failures result from the erosive action of water on the embankment. Erosion is due to uncontrolled flow of water over, around, and adjacent to the dam. Earth embankments are not designed to be overtopped and therefore are particularly susceptible to erosion. Once erosion has begun during overtopping, it is almost impossible to stop. Most studies seem to accept that the probability of failure approaches 1.0 when the depth of water overtopping the dam is between 0.5 m and 1m for a modern compacted rockfill, but near zero for poorly compacted earthfill. A well vegetated earth embankment may withstand limited overtopping if its crest is level and water flows over the crest and down the face as an evenly distributed sheet without becoming concentrated. Seepage Failures All earth dams have seepage resulting from water permeating slowly through the dam and its foundation. Seepage must be controlled in both velocity and quantity. If uncontrolled, it can progressively erode soil from the embankment or its foundation, resulting in rapid failure of the dam. Erosion of the soil begins at the downstream side of the embankment, either in the dam proper or the foundation, progressively works toward the reservoir, and eventually develops a direct connection to the reservoir (figure 3.1). This phenomenon is known as "piping." Piping action can be recognized by an increased seepage flow rate, the discharge of muddy or discolored water, sinkholes on or near the embankment, or a whirlpool in the reservoir. Once a whirlpool (eddy) is observed on the reservoir surface, complete failure of the dam will probably follow in a matter of minutes. As with overtopping, fully developed piping is virtually impossible to control and will likely cause failure.
Figure 3.1. Piping through dam fill or foundation Seepage can cause slope failure by creating high pressures in the soil pores or by saturating the slope. The pressure of seepage within an embankment is difficult to
39
determine without proper instrumentation. A slope which becomes saturated and develops slides may be showing signs of excessive seepage pressure (figure 3.2).
Figure 3.2. Slope failure due to seepage Breaks, separation of joints, or loss of conduit material within the dam structure itself could lead to leakage of water under pressure into the interior of the dam. This action could cause the washing out of material from within the dam embankment, creating the possibility for structural failure of the dam (figure 3.3).
Figure 3.3. Piping along the bottom outlet pipe
40
Probably the most potentially serious situation is when a rupture occurs in the conduit on the upstream side of the gate. Because high water pressures are maintained on the upstream side of the control mechanism, a leak which develops can cause greater internal erosion and at a faster rate. The simple fact that high pressures exist in the conduit makes the development of leaks and seepage more likely. For this reason new dams are constructed with their low level outlet controls located at the upstream side of the dam. Structural Failures Structural failures can occur in either the embankment or the appurtenances. Structural failure of a spillway, of a bottom outlet, or other appurtenance may lead to failure of the embankment. Most instability problems arise because of weak zones in the foundation or in the dam such as a bedding surface shear in the foundation, or poorly compacted softened zone in the dam. Cracking, settlement, and slides are the more common signs of structural failure of embankments. Large cracks in an appurtenance or the embankment, major settlement, and major slides will require emergency measures to ensure safety, especially if these problems occur suddenly. If this type of situation occurs, the lake level should be lowered, the appropriate state and local authorities notified, and professional advice sought. The three types of failure previously described are often interrelated in a complex manner. For example, uncontrolled seepage may weaken the soil and lead to a structural failure. A structural failure may shorten the seepage path and lead to a piping failure. Surface erosion may result in structural failure. Minor defects such as cracks in the embankment may be the first visual sign of a major problem which could lead to failure of the structure. The seriousness of all deficiencies should be evaluated by someone experienced in dam design and construction. A qualified professional engineer can recommend appropriate permanent remedial measures. 3.1.3. Concrete dam failure modes The evaluation of risk of exposure of concrete dams requires a close examination of all possible modes of failure. Concrete dam failures usually fall into one of the following categories:
- Overturning or sliding resulting from erosion of the supporting foundation and / or abutments;
- Abutment or foundation failure due to overstressing; - Structural failure of concrete unable to sustain imposed loads.
Three major potential modes of failure of gravity dams include: 1) overstressing, 2) sliding along cracked surfaces in the dam or planes of weakness within the foundation, and 3) sliding accompanied by rotation in the downstream direction. A gravity dam may collapse in one or more sections. The prevailing mode of failure for gravity dams is probably sliding along the base of the dam or along planes of weakness within the foundation (figure 3.4). Potentially an arch dam may fail as a result of either excessive contraction joint opening combined with cantilever tensile cracking or movements of the abutment rock wedges formed by rock discontinuities.
41
Figure 3.4. Sliding along the base or along planes of weakness within the foundation
A potential mode of failure in concrete dams under the natural hazard of extreme flood is that of progressive sliding and separation of joints in the rock foundation, with the simultaneous participation of a group of monoliths in either the central or the abutment regions of the dam. The effect of uncontrolled leakage through the foundation material over time can cause deterioration of rock. The loss of foundation material from seepage forces may leave voids beneath the spillway, which decreases the overall support for the spillway. Settlement and cracking of concrete structures and the displacement of stilling basin structures may be attributable to foundation piping. Floods overtopping the dam may cause scouring leading to undermining of the dam. In some cases, such as concrete weirs on an alluvial foundation, flow through the spillway may scour the foundation. The evolution of such a process is shown in figure 3.5. 3.1.4. Failure modes related to floods In the case of embankment dams failure due to flood can occur by overtopping of the embankment, scour of the spillway chute or energy dissipater (leading to undercutting of the embankment), or overtopping the spillway chute walls, leading to scour and undercutting of the embankment. Spillway chute walls are often likely to overtop at floods less than the flood to overtop the dam. If the chute is adjacent the embankment, the overtopping can scour the dam and lead to failure. In the case of concrete dams floods overtopping the dam may cause scouring leading to undermining of the dam. In some cases, such as concrete weirs on an alluvial foundation, flow through the spillway may scour the foundation. Overtopping a concrete dam can also lead to a stability failure of the dam, and care must be taken in selecting the critical section for analysis. Once a dam is overtopped the force distribution changes and the maximum section may no longer be the critical section.
42
Figure 3.5. Dam failure due to structure undermining
3.1.5. Failure modes related to earthquakes Earthquakes can certainly cause damage to dams but complete failure of a large dam due to earthquake damage appears to be very rare. Earthquakes have been the cause of only around 1.5% of all dam failures, and these have mostly been the result of liquefaction of the dam or the foundation. Earthquake induced damage to several concrete dams indicated that concrete dams are not immune to earthquake damage as had commonly been presumed. During intense earthquake motions, vertical construction joints may slip or open, concrete
Erosion of soil downstream of the stilling basin
Failure of sheet piles by undermining
Collapse of stilling basin into scour hole
Dam failure
43
may crack and the stored water may locally separate from the upstream face of the dam, resulting in cavitation. The experience gained from the field behaviour of gravity dams under seismic loads shows that certain dam portions are most likely to be damaged. However, such local damage may not necessarily affect the overall stability of the structure. Many of the existing arch dams have safely survived strong earthquakes. The only imaginable failure mechanism of arch dams under earthquake action may be triggered by the opening of the joints between neighbouring blocks, which renders the structure discontinuous and overloads the cantilevers. These cantilevers cannot withstand the additional load share and failure occurs usually through base shear. Structural failure examples, from little damage to total destruction of embankment dams have been observed on dams around the world as a result of earthquakes. Some of the common effects caused by earthquake shaking are summarized below. Cracks and fissures. The upper parts of a dam are particularly vulnerable during earthquake motion. Embankment dams, however, are susceptible to cracking and the design must eliminate the potential for internal erosion or piping as a result of water passing through a crack. Earthquake-induced fissures and cracks could be a result of differential settlement, fault rupture movement, or tensile strength failure of the embankment or foundation materials. Deformation by earthquake can interrupt the integrity of internal filters. Sliding events normally occur as a result of loss of shearing resistance along weak planes or within soils. Earthquake wave vibrations cause sliding in soil and rock, particularly where the factor of safety against sliding is marginal in the static state. Slides are often caused by liquefaction. Liquefaction. Certain saturated cohesionless materials such as sand and silt lose shearing resistance when subjected to the cyclic motion of an earthquake and can thus flow as in a liquid state or cause slides. Liquefaction can occur in a foundation, within the dam itself, in the abutments, or in slopes above or below the reservoir, provided liquefiable soil conditions exist. 3.1.6. Failure modes related to gate failures A spillway may be controlled or uncontrolled; a controlled spillway is provided with gates or other facilities so that the outflow rate can be adjusted. The most widely used type of gate for large installations are flap and radial (or tainter) gates. A gated spillway provides for greater flexibility in reservoir operation than a dam having an uncontrolled spillway. The failure, misoperation, or use of spillway gates may cause downstream flooding that can range from minor to catastrophic. If gates cannot be opened during a major inflow at a reservoir, dam overtopping and possible dam failure may result. If dam failure does not occur, the reduced outflow from the dam may have the benefit of reducing downstream flood damage.
44
Spillway gates fail to open could be caused by loss of electrical power; undersized motors; failure of automatic control systems; corrosion of wire ropes, rope connections, or bolted connections; failure of cart-mounted hoist equipment; displacement of concrete structural components; lack of maintenance; or other design or operational defects. Spillway gates fail structurally because of a deficiency in gate design or lack of maintenance, causing a sudden increase in discharge downstream from the dam. Debris blockage of spillway gates impedes outflow, possibly leading to damage to spillway gates and/or overtopping and dam failure. Spillway gates operated incorrectly can release larger outflows than inflow discharges leading to severe consequences. It is possible that some cases of misoperation go unreported. 3.2. Failure probabilities based on statistical data These methods use the historic performance of dams similar to the dam being analyzed to assess a historic failure frequency, and assume that the future performance of such dams will be similar. In some cases, the performance of dams during first filling, or in the first 5 years, is separated from later performance. Referring to recorded dam behavior incidents, distinction should be made between failures and accidents. Failure is the collapse or movement of part of a dam or part of its foundation, so that the dam cannot retain water. In general, a failure results in the release of large quantities of water. Accident is the collapse or movement of part of a dam or its foundation, requiring lowering of the water level in the reservoir and/or major repair but not leading to an uncontrolled release of reservoir contents. Only failure events are the basis for assigning probabilities of failure. Tables 3.1 summarize the statistics of failures and accidents for concrete and masonry large dams.
Table 3.1. Incidents recorded at concrete and masonry large dams.
Frequency of Failure x 10-5
Concrete Gravity Masonry Gravity
Year Commissioned Overall
First 5 Years
After 5 years
Overall
First 5 Years
After 5 years
1700-1929 15 100 9 54 520 34 1930-2000 3.5 14 1.4 42 160 24 Detailed studies of the statistics have established that 75% of concrete dam failures were due to a foundation failure. The statistical data indicate that half of these failures occurred during the first filling of the reservoir, i.e. at the time of the first loading of the rock foundation.
45
Today safety performance of large dams is significantly improved as compared with the one recorded in the past due to acquired knowledge in the field of dam engineering. Statistic of dam failure vs. construction date and age of dam is shown in figure 3.6.
Figure 3.6. Statistic of dam failure vs. construction date and age of dam (after P. Londe)
Figure 3.6 also indicates how the frequency of failures decreases with dam age; it can be seen that a dam built at the turn of the century and still standing is in fact as safe as a modern dam. A general conclusion of this discussion is that the yearly probability of failure of a dam built at present is of the order of 10-5. This is a very small probability indeed. Table 3.2 summarizes the statistics of failures for embankment large dams up to 1990.
Table 3.2. Failures recorded at large embankment dams on different geographic
areas.
Cause Europe USA Japan Developing countries
External erosion Internal erosion Instability
3 - 3
6 15 -
3 - -
13 10 1
Failure/year/dam !0-5
6 10 3 15
The statistical results for embankment dams are quite different. First of all the yearly failure probability of dams built after 1950, all causes considered (overtopping, piping, sliding, etc.), is 2.3xl0-5 and two thirds of the failures occurred after the first filling. This comparison indicates that the rock mechanics problems associated with
10-5
46
concrete dam foundations are globally better controlled than the soil mechanics and hydrologic problems involved in earth dam design and operation. However, it is worth noting that embankment dams built after 1960 are 5 times safer than those built between 1900 and 1939. Only 4% of all failures are due to slope instability. This is because most instability becomes apparent before collapse occurs, with the dam settling or cracking, so intervention to lower the reservoir and/or improve stability can be implemented before the dam breaches. Failure probabilities based on statistics do not directly account for the reservoir loading, including normal operating loads or floods, nor do they allow for the detailed characteristics of the dam or for the ability of those responsible for the operation of the dam to detect a problem developing and to intervene. For this approach to be applicable, a statistically significant number of similar events must have occurred to similar structures in order to allow the extrapolation of probability into the future. For most dams, loading conditions and the characteristics of the structure itself are unique. In many cases, the risk may be well understood in a statistical sense but still be uncertain at the level of individual events. Insurance companies cannot predict whether any single driver will be killed or injured in an accident, even though they can estimate the annual number of crash-related deaths and injuries with considerable precision. Using the historic performance does give only a starting point to estimating probabilities of failure, and should be done for preliminary risk analyses only. 3.3. Failure probabilities based on event trees Principles Event trees are used to represent sequences or progressions of events that could result in adverse consequences when a dam or associated structure responds to various loading conditions. By providing a graphical representation of the logic structure for the progression of each failure mode, an event tree becomes the template for subsequent assignment of event probabilities and calculation of risk. An event tree consists of a series of linked nodes and branches (figure 3.7). Each node represents an uncertain event or condition. Each branch represents one possible outcome of the event or one possible state that a condition may assume. Together, all of the branches emanating from a node should represent the set of possible outcomes or states. The risk associated with one sequence in the event tree is the product of the load probability, the structural response (failure) probability given that the load has occurred, the adverse consequence given that the load and failure have both occurred, and the magnitude of that consequence. The total risk for the load category is the sum of the products for all event tree paths. An event tree allows the particular cause to be addressed. The event tree in figure 3.7 corresponds to a gated dam subject to a flood which may lead to overtopping of the dam in question. It displays the probabilities of failure of the undesired initial event (on top) in a deductive manner; that is, the analyst provides a logical sequence of conditions, which branch off into final probabilities of failure for each chain of imaginable events.
47
Figure 3.7. Event tree corresponding to an overtopping failure (after H. Kreuzer) Each box represents an uncertain event (condition) with an event probability, Pi, which needs to be estimated. Non-occurrence of the event implies complementary probability (1-Pi). A chain of linked boxes implies the interference of the connected event probabilities: • 'not only event A but also event B occurs' - probabilities are multiplied. • 'events of either chain A or chain B occur' - probabilities are added. The juxtaposition of probabilities is shown in the figure for estimated event probabilities (letter-indexed), and calculated failure probabilities (number-indexed). Thus, an event tree permits the systematic aggregation of probabilities along each possible event sequence. The result is a probability of failure for each chain of events. Event probabilities in event trees are obtained from statistical or subjective estimates. Subjective probability is a probability based on intuitively plausible numbers of expert
= Pw·PG·Ps
Pw
(1-Pw)·Po·PG·Ps·P21
(1-Pw)·Po·PG·Ps·(1-P21)
(1-Pw)(1-Ps)
(1-Pw)PG·(1-Po)
(1-Pw)PG·Po·(1-Ps)
Pw·(1-PG) + Pw·PG·(1-Ps)
48
judgement. Example: probability of spillway clogging (Ps in Fig. 3.7). Statistical probability is deduced from observations of similar events without an underlying model. Example: recurrence periods of extreme events. Mathematical probability is based on treatment of data populations by mathematical functions of probabilistic concepts. The event tree of figure 3.7 is an example of how to assess event and failure probabilities. In dam engineering, there is hardly a chance to rely on statistical data for flood warning (for Pw) or spillway clogging (for Ps). They therefore need to be assessed subjectively based on expert judgement. Figure 3.7 shows the cause-to-failure events for a particular reservoir level during flood occurrence. A complete risk analysis would show similar diagrams for other possible reservoir levels. The probabilities of each reservoir level would then be estimated from projected reservoir operation (for a new dam) or operating and flood records (for an existing dam). Overtopping is a failure event with a number of possible initiating causes. It can be caused by one or a combination of the following: • inadequate spillway capacity or insufficient freeboard (design inadequacy); • erosion of dam crest or excessive settlement (for an embankment dam): • negligence or impossibility to lower reservoir prior to flood arrival; • spillway obstruction or gate malfunction (operational inadequacy); and, • unstable slope in the reservoir. The unspecified entry of overtopping into a risk analysis is fundamentally wrong because as such it appears as an effect and not as a cause. Any remedial works, however, have to address the cause and not the effect. The event tree is constructed from left to right or from top to bottom, starting with some initiator event and proceeding through events describing the response of the dam to each level of the initiator. These event sequences are developed all the way to breach of the dam, and finally to consequences that result. Each event node is predicated on the occurrence of all directly-linked branches that precede it in the tree. The best way to start creating an event tree is to establish failure modes through a failure mode screening process. Once a failure mode has been identified, the event tree should be formulated to show the sequence of events and/or conditions which would have to take place or exist in order for the dam to respond in an adverse manner. The event tree should also identify possible interventions which could terminate the development of the adverse consequence. Case histories can provide additional insight for identifying failure modes and for breaking down the modes into sequences of events, a process sometimes called “failure mode decomposition”. Failure and incident information provided in case history reports describe the progression and sequence of the events that have occurred for other dams. Event tree analysis has to include also atypical failure modes that might be unique to the dam in question. Complexity The size and complexity of the event tree depend on what is known about the dam and its expected behavior under different loading conditions, on the complexity of the
49
failure modes considered, on the number of load ranges needed, and to some degree on the purpose of the risk analysis. The event tree must balance needs for comprehensiveness and detail against needs for consistency, clarity, and communication. Too little detail can reduce the ability to target specific risk contributors and can create problems in making reasonable structural response probability estimates. Figure 3.8 shows two versions of an event tree illustrating different levels of decomposition. As with all engineering problem solving, judgement is most easily applied to small components and later aggregated, and it has been shown that decomposition considerably enhances accuracy of the calculated failure probability. Since pf in figures l(a) and l(b) are the same, it is apparent that the greater decompo-sition of figure l(b) yields values of component probabilities, p, that are less extreme. Thorough decomposition also helps shift some of the burden for probability assess-ment onto the conceptualisation of failure events, which are usually easier to specify. In this sense, figure l(b) can be seen as an example of 'belt and braces' principle of design: The more things that have to go wrong, the less likely failure is to occur. Most engineers also find it much easier to describe the likelihood of events verbally than to assign p, values to them directly. In tailoring risk analysis procedures to this reality, conventions for transforming verbal to numerical probability statements, like those in table 1, have been found to greatly aid judgmental probability assessment. Fi
Figure 3.8. Example event tree for foundation liquefaction failure mode. (a) poorly decomposed; (b) well decomposed (after S. Vick)
Since pf in figures 3.8(a) and 3.8(b) are the same, it is apparent that the greater decomposition of figure 3.8(b) yields values of component probabilities, p, that are less extreme. Thorough decomposition also helps shift some of the burden for probability assessment onto the conceptualisation of failure events, which are usually
50
easier to specify. In this sense, figure 3.8 (b) can be seen as an example of 'belt and braces' principle of design. The more things that have to go wrong, the less likely failure is to occur. Most engineers also find it much easier to describe the likelihood of events verbally than to assign probability values to them directly. Conventions for transforming verbal to numerical probability statements, like those in table 3.3. have been found to greatly aid judgmental probability assessment.
Table 3.3. Verbal to numerical probability convention
Verbal description Probability equivalent Psychology studies virtually impossible 0.01 almost impossible
0.02 (0 to .05)
very unlikely 0.1 0.1 (0.02 to 0.15)
completely uncertain (two possible outcomes)
0.5 even chance 0.5
very likely 0.9 0.85 (0.75 to0.9)
Virtually certain 0.99 almost certain 0.945
(0.9 to 0.995)
Load Ranges and Increments. The three categories of loading conditions typically required in risk analysis are static, hydrologic, and seismic. The static loading condition includes a wide variety of specific loading conditions to which a dam is routinely exposed during the course of normal operation. These loads can include hydrostatic loads and uplift forces imposed by the reservoir, static and dynamic loads imposed by operating various components of the dam, loads induced by landslides at the dam or on the reservoir rim, or by the hydraulic phenomena (seepage, erosion, cavitation) associated with water passing through and around the dam. Most static loading conditions are related to the reservoir level either in terms of the magnitude of the load, time of exposure to the load, or the potential for adverse consequences. Therefore, historical reservoir elevation records are an important information source for assessing the likelihood of failure modes associated with static loading conditions. When evaluating the historical reservoir information, it is important to consider the data in a fashion which is consistent with the failure mode being developed. For most risk analyses it is likely that a Reservoir Load Frequency Curve will need to be developed. In the case of hydrologic loads the development of flood frequency relationships and reservoir inflow hydrographs are important inputs to the risk analysis process. For risk analysis, the focus of flood evaluations shifts from a single maximum event, like the probable maximum flood, to describing a range of plausible inflow flood events.
51
For utilization within a failure probability evaluation, seismic hazard must explicitly contain information on the frequency of occurrence (and/or exceedence) of relevant loading parameters. The ultimate goal of a probabilistic seismic hazard assessment is specification of ground motions. The most frequently used is a simple hazard curve that relates a ground motion parameter (often peak horizontal acceleration) to annual probability of exceedence. For use in liquefaction evaluations, consideration of ground motions organized by magnitude levels is required. The flood or earthquake initiator events can take any value over very wide limits of the recurrence curve. It is necessary to confine these limits to a sensible range of values that can affect the structural response or consequences in a significant way. Two threshold load levels naturally suggest themselves: a threshold below which no structural damage or adverse consequences are expected, and a threshold above which structural failure is almost certain to happen. Between these thresholds is a load range where structural damage or adverse consequences is possible to varying degrees. Often, the maximum load already experienced by the dam may be selected as the threshold below which no structural damage or adverse consequences are expected. The dam has survived this load, and one can usually assume that the dam will survive a repeat of this load, unless there is some progressive degradation mechanism at work. Examples of these approaches to developing load ranges are: Hydrologic Loading - Using the recorded floods to establish the threshold of adequate spillway performance. The spillway either successfully passed or did not pass the flood of record. Seismic Loading - A comparison of available liquefaction susceptibility studies to potential earthquake induced peak horizontal accelerations at a dam site can be used to set the lower bound of earthquake shaking that a structure can withstand without failure, i.e., the acceleration bound below which no liquefaction is expected to occur. Static (normal) Loading - There may be a structural feature located at a certain elevation (for example a more pervious layer in a compacted fill) where inundation by water begins development of potentially adverse seepage conditions. For reservoir levels below the elevation of this feature dam performance related to seepage is adequate. The time period the reservoir water surface is below the elevation of this feature would be one bound on the static loading. The lowest load range is very important due to its relatively high occurrence probability. It should establish the load range for which the dam is expected to perform without failure. Typically, this load range is called the “threshold” range for initiation of failure. 3.4. Failure probabilities based on reliability analysis Basic principles A certain failure mechanism of the dam may be defined by a variable parameter X. This may signify stresses, when failure is due to exceeding the capable stresses, sliding coefficients, when failure is a sliding along the foundation or on a sliding surface through the dam body, discharges when failure is induced by exceeding the
52
spillway capacity, etc. The variable X has the value X = L as a consequence of the external loadings and becomes X = R when failure takes place. The limit value R expresses internal strength of the structure. The condition for the failure not to take place is expressed by L < R. If L and R are well-established values as considered by the deterministic approach, a safety factor FS = R/L may be defined. When FS > 1 it will be no failure or damage and as a consequence there appears the idea of “complete safety ". The external loadings (L) as well as the strength capacity of the dam-foundation system (R) are aleatory variables due to: reservoir level variation, aleatory character of seismic loadings, material parameter variation, foundation different mechanical characteristics, etc. The variability of L and R may be expressed by the probability functions FL(X) and FR(X), and by probability density functions fL(X) and fR(X) respectively. [Probability density function (pdf) is mathematical expression to simulate observed histograms of random variables ie.events or material parameters]. Figure 3.9 shows the variation of the probability density functions characterized by the average values L0 and R0. Though on the mean L0 <R0, there is a domain (hatched in the figure) where the maximum accidental values of L are larger than the minimum accidental values of R.
Figure 3.9 Load and strength capacity density functions The surface of the intersection domains, where L > R, represents a measure of the probability of failure Pf. The numerical value of the failure probability results from the convolution integral:
Pf= P(L > R) = dXXfXF RL )()(0
∗∫∞
(3.1)
If the distributions of L and R values have small variances, their values being grouped round the mean ones (the solid line in figure 3.9) the failure probabilities have reduced values. If the distributions of L and R have large variances (the dotted line in figure 3.9) the failure probabilities are large and the safety factors lose the physical significance. A simple example – sliding failure probability of a homogeneous rockfill dam The failure mechanism consists in sliding of a downstream prism on a plane surfaces that passes through the downstream toe (figure 3.10, a). The external loads are given by the reservoir water pressure, by the dead load of the moving body and by the inertia forces induced by the earthquakes, considering the pseudo-static approach.
53
The stability condition for the volume placed above the sliding plane, that is defined by the angle α to the horizontal line, may be expressed as:
ϕtan21
21 ≤−+
=aBBaAAL (3.2)
where:
αααλα
αααλα
α
α
sin;)sincos()(cos
;cos;)cossin()(5.0sin
2
12
1
2
12
1
GBhhGB
GAhhGA
=−−+=
=+−+=
λ1 and λ2 represent the face slopes and a is the seismic coefficient. The probability density functions for each of the significant variables (h – water level, a – seismic coefficient and tan φ - strength parameter) were:
- log-normal for reservoir water level; - type II distribution of extremes for seismic coefficient; - normal distribution for internal angle of friction.
The probability function for L includes the variability of h and a and has the final expression:
+−
−−=−β
kAXBAXBXFL
22
11exp1)( (3.3)
The probability density function for tan φ is given by:
−−== 2
2
tan 2)tan(exp
21)(
σϕ
σπϕ
XXffR , (3.4)
where ϕtan is the mean value of ϕtan distribution, σ the mean square deviation and X is the integration variable.
Figure 3.10. Safety analysis of a homogeneous rockfill dam: a- failure mechanism; b- probabilities
54
The probability of failure is evaluated by the convolution integral:
dXXfXFLPP RA
Lf )()()tan(tan5
1∫
+=>=
ϕσϕ (3.5)
Safety analysis for Oasa dam in Romania based on this approach has led to the results presented in figure 3.10, b. The dam height is 91 m, the crest length is of 300 m and the fill volume of about 1.63 million m3. The dam body is homogeneous, except for a reduced area next to upstream face where the rockfill blocks especially compacted are limited to 0.5 m diameter. The sealing is provided by a reinforced concrete slab. The dam safety analysis consisted in estimating the failure probabilities in terms of the conventional safety factor for three values of the seismic coefficient a and two assumptions regarding the internal friction angle variability ( σ= 0.04 and σ = 0.08 respectively). As results from figure 3.10, b independent of the safety increase by making the downstream slope gentler, the failure probability does not reduce beyond certain limits. Failure of a gravity dam due to overtopping Assume now that a recent safety inspection proves the operational inadequacy of a spillway and that the scenario 'Overtopping' is considered as a downstream hazard. The probability that the dam's response to overtopping might lead to failure can be estimated by transforming the flood-pdf into a pdf of the load L acting on the dam for several overtopping levels because the level corresponding to design flood might not cause the highest risk. Excessive values of L would increase the risk of sliding (figure 3.11).
Figure 3.11. Assessment of probability of failure due overtopping (after H. Kreuzer)
55
Now does the dam resist sliding due to overtopping? To answer this question, the pdf of the sliding resistance R is obtained by introducing random variables for the shear parameters tan φ and c'. Applying the principles of classical reliability analysis, the probability of failure, Pf is obtained. For this case of overtopping, the model which relates flood volume to load on the dam transfers a difficult prediction (that of floods) for assessing the probability of failure into a more tangible parameter (that of load on the dam). More tangible, because it is an incremental load and it is a failure indicator which can be model tested. The variability of each input data is expressed by its mean value and by standard deviation or coefficient of variation (mean divided by the standard deviation). They ponder the physical variability of the random variables (floods, shear parameters) as such. However, there are also so-called 'second order errors'. They consider model-inherent uncertainty such as the chosen type of distributions (pdf) modelling an unknown reality, or the quality of data sets as judged by expert assessment. Comparing Pf with the failure probabilities of the other scenarios (scouring, undercutting of heel and uplift on reduced foundation surface) will provide a means for judging where the dominant failure modes are to be found and where safety has to be improved first. This is important: mathematical probabilities should not be judged in their absolute terms, only in relation to probabilities of other scenarios.
Probability of failure for an overflow gravity dam The failure mechanism consists in sliding along the dam-rock contact surface. The variable measuring the external load intensities is given by the resultant of forces (ΣT) being in parallel with the sliding surface. External loadings are presented in the figure 3.12.
Figure 3.12. Loads implied in safety analysis
Pf = 5.8 x 10-5
56
The strength is given by the mobilized friction forces ( f ΣN ) depending on the friction coefficient (f) and the resultant of forces (ΣN) perpendicularly oriented to the sliding surface. The stability condition ΣT< f Σ N would allow for evaluating the failure probabilities through a quite different way as compared to the integral form (3.1), by using the sliding ratio SR = f ΣN/ΣT :
∫=<=1
0)()1( dSRSRfSRPPf (3.6)
where f(SR) is the probability density function of sliding ratio. The failure probability refers to the usual static loads and consequently seismic events and floods (extraordinary water levels) have not been taken into account. Even so, the impossibility of analytical defining of f(SR) that involves several independent random variables like water levels, uplift forces and friction coefficients requires an indirect solving of the integral form (3.6). The herein proposed methodology and its numerical algorithm involve six successive stages, namely: - The defining of the probability density curves for each of the independent variables Xi on the basis of in situ measurements, as for discharges, and friction coefficients, or on the basis of some intermediate analysis as for uplifts (see figure 3.13).
Figure 3.13. The procedure to evaluate the probability density distribution for uplift forces
57
- The discretization of the domains of independent random variable Xi into subintervals; each subinterval (Xi)k-1,k is characterized by its mean value (Xi)k and the corresponding probability pk (Xi) of the subinterval values. - The evaluation of sliding ratios SR = f ΣN/ ΣT for all possible combinations of random variable mean values ( iX )k, thus obtaining a broad population of SRj ratios,
each being characterized by the total probability of occurrence Pj = Πj pk ( iX ) - The dividing of the whole domain of SR ratios into equal subintervals ∆(SR)r and sorting the SRj population into these subintervals. - The defining of the SRj histogram by assigning an ordinate p(SR)r to each subinterval ∆(SR)r; the ordinate is computed by adding the total probabilities pj(Σrpj(SR)r ) which correspond to all SRj ratios classified in the subinterval. - The replacement of the SR ratio histogram by a continuous probability density curve f(SR) and the evaluation of the failure probability Pf through numerical integration of the integral form (3.6). The proposed methodology could be easily solved out by computer codes. The proposed safety analysis procedure has been applied to the Iron Gates dam on the Danube, in Romania. The dam height is 60 m and the overflow section is characterized by 14 spillway bays with a maximum discharge capacity of 15,500m3/s. The upstream and downstream levels are dependent on the inflow Q. The probability density curves of the HUS and Hds levels (figure 3.13) have been determined starting from the discharge probability density described by a normal distribution with Q = 6500 m3/s and σ = 0.04. The probability density curve for the uplift forces has been determined on the basis of an intermediate analysis which mainly consists in evaluation of the seepage spectrum and the uplift distribution by means of numerical simulations performed based on a finite element model. The unsteady seepage analyses showed large delays in adjusting the uplifts to the upstream and downstream water levels. Consequently, the uplift forces were evaluated for all possible combination of upstream and downstream levels as independent variables. A normal distribution was selected for foundation hydraulic conductivity based on statistical processing of in situ measurements ( k = 8.56 x 10-8 m/s, σ = 0.0613). The schematic presentation of the methodology for determining the uplift probability density curve is given in figure 3.13. It follows the same stages as for sliding ratios SR. For the probability density function of friction coefficients it has been assigned a normal distribution its characteristic parameters ( f = 0.49, σ = 0.051) being determined based on the field data. Through the numerical integration (figure 3.12, b) the sliding failure probability has been determined as Pf = 5.8 x 10-5. By comparing the probability of failure value with the ones corresponding to other dam types and failure mechanisms, one could fairly ascertain its quite high magnitude due to the heterogeneity of the foundation characteristics.
58
3.5. Monte Carlo method The Monte Carlo simulation method has come to dominate event-tree-based risk analysis for dam safety studies. In this approach the analyst creates a large number of sets of randomly generated values for the uncertain parameters and numerically computes the performance function for each set. The statistics of the resulting set of values of the function can be computed and Pf calculated directly. The method has the advantage of conceptual simplicity, but it can require a large set of values of the performance function to obtain adequate accuracy. Furthermore, the method does not give insight into the relative contributions of the uncertain parameters that is obtained from other methods. 3.6. Comments on probability of failure The aim of the probabilistic approach is to make a quantitative estimate of safety in terms of its true meaning, which is the probability of collapse. According to Pierre Londe, one serious difficulty does arise before any computation commences. What failure probability is acceptable in any particular case? There is still no satisfactory answer to this question. There is one area in which dam engineers have been reasoning in probabilities for very many years, and that is flood-related risk. Statistically collated hydrological records enable river flood peak flows and volumes to be estimated on the basis of their recurrence intervals. Spillway capacity is set to discharge the flood whose probability of occurrence is judged to be reasonable in the light of the potential damage that might occur if the flood peak were exceeded. In good engineering practice a flood with a yearly probability of the order of 10-3 is generally considered acceptable for a concrete dam, whereas 10 -4 or less is required for an embankment dam, particularly when the PMF concept is applied. Accepting the fact that the statistical probability of failure of an existing dam is at present of the order of 10-5 per year, what should be the failure probability of a new dam under design nowadays? If we want to improve the safety of new dams we should set less than 10-5, say 10-6. But such a small quantity could only result from extreme values of the data distribution curves, both for loading and for resistance, in a region where they are very ill-defined and where the standard probability analyses loose their engineering meaning. A major difficulty is estimating uncertainty in numerical terms. Uncertainty in the data is handled by applying distribution laws to random variable parameters, but the most appropriate distributions are usually very difficult to determine, especially at the tails of the curves, i.e. for low-probability load or strength values. It must be remembered that failure is usually the outcome of a combination of high loads and low strengths, an extraordinary situation which we have the greatest difficulty in grasping. These are the reasons why, in spite of much effort and the general recognition of the theoretical value of safety evaluation by reliability analysis, the dam profession is still reluctant to use it in practice.
59
BIBLIOGRAPHY Bowles, D., Anderson, L., Glover, T. (1998). The practice of dam safety risk assessment and management: its roots, its branches, and its fruit. Eighteenth USCOLD Annual Meeting and Lecture, Buffalo, New York, August, 1998. Bureau of Reclamation. (2002). Spillway Gate Failure or Misoperation: Representative Case Histories. Water Operation and Maintenance Bulletin. No. 202. Denver. Bureau of Reclamation. (2003). Dam Safety Risk Analysis Methodology. Technical Service Center. Denver, Colorado. Bury, K., Kreuzer, H. (1985). The Assessment of the Failure Probability for a Gravity Dam. Water Power and Dam Construction, November. Federal Emergency Management Agency (2006). Why Dams Fail? www.fema.gov /hazard/damfailure.
Hartford, D., Baecher, G. (2004). Risk and uncertainty in dam safety. Thomas Telford. London.
Honningsvåg, B. (2007). Risk Assessment in Dam Safety Management. A reconnaissance of benefits, methods and current applications. Geilo Conf. , 29 August 2007. ICOLD. (2006). Risk Assessment in Dam Safety Management. ICOLD Bulletin 130. Paris. Ionescu, St., Stematiu, D. (1993). A probabilistic approach for certain design loads with significant contribution in dam safety evaluation. Proc. of Int. Workshop on Dam Safety Evaluation, vol. 3, Grindelwald, April, 1993. Kreuzer, H. (2000). Risk analysis for existing dams: merits and limits of credibility. Hydropower and Dams, Issue one. Lafitte, R. (1993). Probabilistic risk analysis of large dams. Water Power and Dam Construction. 45.
Londe, P. (1993). Safety evaluation using reliability analysis. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
Priscu, R., Stematiu, D. (1984). Some design criteria for large dams on the basis of probabilistic concept of Safety. Proc. of Int. Conf. on Safety of Dams, Coimbra, April, 1984. Stematiu, D., Ilie, L. (1992). Safety assessment of Poiana Uzului dam based on monitoring data and backanalysis. Proc. of Int. Symp. on "Monitoring Technology of Dam Safety". Hangzhou, Oct. 1992.
60
Vick, S. (1997). Dam safety risk assessment: new directions. Water Power and Dam Construction. 49, July. Vick, S. (1999). Considerations for estimating structural response probabilities in dam safety risk analysis. U.S. Bureau of Reclamation Technical Service Center Denver, CO.
61
4. CONSEQUENCE ASSESSMENT
4.1. Introduction The failure of a dam results in a flood wave. The hydraulic characteristics of this flood wave highly differ from a conventional flood wave in a river due to high precipitation. The sudden failure results in a wave with large energy and high flow rate, which suddenly floods the downstream settlement and causes large devastation. The resulting damage encloses far away sections of the downstream settlements and can be very high for humans, economics and the environment. When evaluating expected costs and consequences, one considers potential downstream damage in terms of loss of life, injuries, environmental effects and material losses. There will be special considerations for a cascade development along a river, and the role of warning time achieved through surveillance and monitoring is essential in the analyses. The time delay in the dam-breach process may be crucial for the extent of the consequences (for example, the dam-breach erosion process may be much faster for an earthfill than a rockfill embankment), and appropriate preparedness and action plans may substantially decrease the computed risk. The following subchapters are almost entirely based on the considerations in chapter 10 of the book Risk and uncertainty in dam safety written by Desmond N. D, Hartford and Gregory B, Baecher. 4.2. Identifying consequences The first step in consequence assessment is identifying the consequences and sub-consequences. Figure 4.1 suggests such a hierarchy of consequences, sub-consequences, and measures that might compose the target of attention in a risk analysis for dam safety. The area of possible consequences that could be considered in a risk analysis is large. Some of these have to do with public safety, such as deaths, injuries and illnesses as a result of the flooding. Others have to do with economic costs incurred by the loss of the dam itself and its productive value, property losses downstream caused by the destructive forces of the flood and by the loss of productive value of the resources (infrastructure, land, and industrial facilities) damaged by the flood. Still others have to do with environmental degradations, for example, the loss of habitat and wildlife. In most of the cases the consequence assessment focuses on a few that call attention by their significant importance: loss of life within the public safety category, loss of capital property within the economic category, and species and habitat loss within the environmental category.
62
Figure 4.1. Direct consequences and sub-consequences (their measure units are shown
in boxes with dashed lines) (after Hartford & Baecher)
Consequence modelling is a broader activity than the engineering performance modelling. Typically, consequence modelling involves four phases: - Characterising the breach of the dam. - Downstream flood routing of the flood wave. - Assessing the impact of the flood wave downstream. - Assigning numerical values for lives lost, monetary economic loss and environmental damage. A consequence evaluation process has four parts: (1) physical process modelling of the dam breach and flood routing; (2) characterisation of land use, economic activities and population within the affected area; (3) forecast of physical responses and of individual and social response to the inundation; and (4) valuation either in monetary units or other measures.
4.3. Dam breach modelling When downstream populations are far from the dam site, the specific details of a dam failure have little influence on public safety, evacuation planning and other conse-quences of the failure. In these cases, flood routing, travel times and attenuation dominate the calculation of consequences. On the other hand, closer to the dam site the specific details - breach shape, width and time for the breach to develop - do affect both planning and the magnitude of the consequences. The important outputs of dam
63
breach modelling for consequence prediction are the arrival time of the flood wave (which affects warning time), depth of the flood and velocity of the flow. If we consider a real dam, we have to ask how the potential breach formation would be occurring. The failure mode depends firstly on the kind of dam. A realistic scenario could be found in the wide range between a sudden and total dam break of an arch dam and several our long lasting erosion process considering earth dams. The knowledge of historical dam break cases could help to find realistic scenarios. The final breach depth and width and the breach formation time are the most important parameters to calculate the outflow hydrograph. In order to take their uncertainty into consideration one could use not one definite value for each parameter but a certain number of different values. An occurrence probability can assign to each of this values. Using theses parameters in a large number of combinations the calculation of the outflow will let to numerous hydrographs. At the end the peak discharge, the outflow volume and the time to peak are now also values with a certain occurrence probability. Earthen embankment breaches are typically modelled as trapezoidal broad-crested weirs in which the significant parameters are side slope horizontal: vertical (L:H), breach width (b), and breach elevation. The side slope typically varies from 0:1 to 2:1. A fully formed breach in earthen dams tends to have an average width in the range of 0.5 to eight times the height of the dam. Field observations indicate that breaches do not typically erode the entire embankment. Therefore, the breach elevation may not be at the toe of the embankment. Typical values for a breach bottom elevation is approximately equal to 1/3 the height of the embankment; however, erosive velocities may cause the breach to erode to the toe of the embankment. There is a time period in which the breach will gradually develop into its ultimate dimensions. Therefore, flow rates through the breach could be expected to vary according to the area of the opening, driving head, and storage volume. A hypothetical outflow hydrograph for a breach developed over various hours is shown in Figure 4.2.
Figure 4.2. Dam breach outflow hydrographs for various breach formation time
Time in hours
64
Flow rates through the breach, would be predicted given these time dependent variables. The important factor for downstream consequences is the form of this outflow hydrograph: how quickly the breach develops, how quickly the discharge builds up, how large the peak discharge becomes, and how quickly the pool drains. Dam breach modelling attempts to predict all these conditions. Dams can fail slowly or suddenly depending on the physical mechanisms of failure and the remedial actions taken by dam operators to inhibit failure. The dam breach dimension and time for the breach development are strongly dependent on the structural type and size of a dam, foundation geology and treatment during construction. Downstream consequences depend in large measure on the rapidity with which the failure occurs, and on corresponding warning times and the force of flooding. Typically, the outflow hydrograph peaks quickly within one or a few hours, and then more slowly drains the reservoir over several hours. In practice, dam break models normally require a priori estimates of the time for a breach to form, and of the shape and width of the breach. These factors typically are not outputs of dam break models but rather inputs. 4.4. Flood routing Flood routing models the downstream propagation of the flood wave as it moves downstream of the dam (Figure 4.3). The objective of these models is an accurate prediction of flow discharge, velocity and depth as a function of time and distance downstream after the formation of a breach. Flood routing is important because these unsteady flows from dam breach experience significant peak attenuation as the flood wave moves downstream.
Figure 4.3. Floods hydrographs in various downstream reaches (after Hartford & Baecher)
Three different approaches are used to route flood waves downstream: Numerical codes for the complete 1D and 2D St Venant equations of unsteady flow; peak (breach) discharge attenuation curves coupled with Manning's equation to calculate flow depth; and Muskingum-Cunge routing with Manning's equation for flow depth.
Outflow m3/s
Time
At dam site
Near downstream
Further downstream
Far downstream
65
Numerical solution to the St Venant equations provides the most accurate predictions and, thus, the second and third approaches using Manning's equations to approximate flow depth introduce additional error. In addition to uncertainties in the dam breach modelling, uncertainties also apply to flood routing. It is conceptually straightforward to add parametric and model uncertainty to existing modelling approaches by probabilistic modelling of dam breach and downstream flood routing. The biggest challenge is the spatial variability in channel and floodplain geometry and their physical properties. In addition, significant uncertainties in flood routing are generated by debris load, channel erosion, sediment transport and a variety of considerations usually not included in the hydraulic routing model. The flood contours and corresponding heights and velocities have to be plotted on topographical maps (figure 4.4).
Figure 4.4. A flood map for consequences assessment
66
Consequence forecasting depends on downstream characteristics, land uses and exposures. These are typically represented in downstream demographic and land-use databases, often incorporated in geographic information systems (GIS). These data can be of many types, but should include: (1) topography; (2) land-use categories; (3) population; (4) critical facilities and infrastructure; (5) economically important facilities; and (6) environmental or culturally important sites. 4.5. Evaluation of consequences 4.5.1. Loss of life The prime driving force in any dam safety assessment is the hazard the dam presents in terms of the potential for loss of life. Estimation of the potential for loss of life is unfortunately subjective. It can lead to a week point in the dam safety assessment process; particularly in jurisdictions where, politically, there is a desire to ensure that risks associated with loss of life are eliminated. In such situations, since it is not possible to accept consequence, the dam safety assessment attempts to define design standards to drive probability to ‘zero’. The factors influencing fatality numbers are listed below:
• Cause and type of dam failure • Number of people at risk • Timeliness of dam failure warning • Flood depths and velocities resulting from dam failure • Time of day, day of week, and time of year of failure • Weather, including air and water temperatures • Activity in which people are engaged • General health of people threatened by floodwater • Type of structure in which people are located • Ease of evacuation
Characterising the number of potential fatalities due to a dam failure is complicated by the large number of factors that influence the death rate within a population potentially exposed to inundation. The most important factors are: (1) the number of people occupying the dam failure flood plain; (2) the amount of warning provided to the people exposed; and (3) the severity of flooding. As a result, uncertainty enters any forecast of fatalities due to dam failure because the time of day and season of the year is a priori unknown, the extent of effective or usable warning is unknown, and the exact conditions in the flood plain are unknown, as are the human reactions. The number of people at risk downstream from some dams is influenced by seasonality or day of week factors. For instance, some tourist areas may be unused for much of the year. The number of time categories (season, day of week, etc.) selected for evaluation should accommodate the varying usage and occupancy of the floodplain. Since time of day can influence both when a warning is initiated as well as the number of people at risk, each study should include a day category and a night category for each dam failure scenario evaluated. Determining when dam failure warnings would be initiated is probably the most important part of estimating the loss of life that would result from dam failure. The
67
time before a warning is issued can be broken down into a detection period, a decision period, a notification period, and an implementation period. After an event that initiates dam failure, time can pass before operations personnel detect a potential problem at the dam. This is the detection period. The decision period comes after the situation is observed, when outside expertise and decision makers may be consulted, and a decision is made that the situation will lead to a dam failure. Once this decision is made, the notification period follows during which the proper emergency response authorities are contacted and convinced that an evacuation is appropriate. Once the proper authorities have been notified, the warning may take time to reach those who must evacuate. The time between the initiation of a dam failure and the emerge of a notice to evacuate a population, added to the time it takes for the flood wave to travel to the population, is the warning time. The components of warning time are dependent on physical as well as human factors. The physical factors may be functions of the event time (hour, weekday, and season) and the conditions after the event (e.g. extent of damage to infrastructure, evacuation routes, or communications). The human factors include reluctance to issue an evacuation warning and degree of emergency preparedness. An evaluation of past dam failure data indicated that timely dam failure warnings were more likely when the dam failure occurred during daylight, in the presence of a dam tender or others. Timely dam failure warnings were less likely when failure occurred at night or outside the presence of a dam tender or casual observer. Dam failure warnings were also less likely where the reservoir was able to quickly fill and overtop the dam. It also appears that timely warning is less likely for the failure of a concrete dam. Although dam failure warnings are frequently initiated before dam failure for earthfill dams, this is not the case for the failure of concrete dams.
The empirical relation proposed by DeKay and McClelland is often used in an attempt to relate the potential loss of life associated with dam failure with warning time, the ‘population at risk’ and the type of flood expected.
where,
LOL = potential loss of life P = total downstream population ef = exposure factor (percentage of people likely to be in residence at the time of the event) x = 2.982 WT – 3.790 (for deep fast-flowing water) = 0.759 WT (for broad shallow flood water) WT = warning time in hours.
Various types of uncertainty can influence loss of life estimates. Quantifying uncertainty is difficult. Separate loss of life estimates has to be developed for each dam failure scenario. Various causes of dam failure will result in differences in downstream flooding and therefore result in differences in the number of people at
LOL
68
risk as well as the severity of the flooding. The number of people at risk (ef*P ) will likely vary depending upon the time of year, day of week and time of day during which the failure occurs. In the evaluation process the dam failure has to be assumed to occur at various times of the day or week. It is recognized that the time of failure impacts both when a dam failure warning would be initiated as well as the number of people who would be at risk. Finally, the warning initiation time could be varied to determine sensitivity to this assumption.
In most of the cases the risk to public health is defined in terms of Persons at Risk (PAR) so as to allow a less emotional means of defining appropriate dam safety standards. As part of this approach the concept of Persons to Evacuate as a measure of downstream risk tolerance is being proposed. The advantage to this approach is the defined risk parameter represents a positive approach, that is the hazard the dam presents to the public can be defined by the total number of people that would need to be evacuated in the event of an hypothetical dam failure as opposed to the numbers of people that may potentially loose their life or be put at risk.
Public safety consequences are not limited to lives lost but also include injury and disability, or pain-and-suffering. From a policy point of view, public safety consequences short of death are sometimes treated as economic variables in that their impact can enter consequence accounts through litigation and financial settlements. This does not obviate the need for quantitative estimates of the extent of these impacts, but merely shifts them to another account. 4.5.2. Economic consequences Estimates of economic consequences are easier than corresponding estimates of public safety impacts. Buildings and most other infrastructures in the floodplain (e.g. highways, bridges, utility networks) are stationary, and good data are often available with which to forecast damage and impairment. A long history of benefit-cost analysis in public investment theory provides economic and analytical guidance on how to quantify and compare economic costs. Nonetheless, the economic consequences of failure are presumably more complex to estimate than the economic costs and benefits projected during project planning. The principal categories of economic consequence of dam failure are direct consequences and indirect consequences. Direct consequences are the immediate impacts of the failure or being in contact with floodwaters. Direct economic consequences include, for example, loss of the capital investment in the dam, appurtenant structures and downstream improvements; destruction of downstream property: buildings, equipment, land improvements; and loss of seasonal crops. Indirect consequences are the subsequent impacts that cascade from the direct impacts of inundation, principally including the loss of use of resources. Indirect economic consequences - which economically may be even more important than direct impacts -include, for example: loss of productive use of land for agriculture, industry, and recreation; loss of power production; and loss of use of residential property and substitution of other housing for that loss. In some ways, modelling and forecasting economic consequences of failure differ little from modelling and forecasting of costs and benefits for routine projects.
69
4.5.3. Environmental consequences Until recently, environmental costs and benefits of water resource projects have not been included quantitatively in project investment decisions for most dam projects. This being the case, the calculus for evaluating environmental consequences of dam failures is inadequately developed. Increasingly, public opinion and government policy seem to indicate that environmental consequences should be accounted for. Including environmental consequences within risk analyses for dam safety raises a number of challenges: how comprehensively to account for environmental consequences since many of which are subtle; how methodologically to estimate environmental impacts when understanding of ecosystem response is nascent; how to economically value those impacts in the absence of markets? The uncertainties, both of predicting quantitative environmental consequences of dam failure and of valuing those consequences are great, probably greater than corresponding uncertainties in public safety or economic consequences. One approach is that environmental and ecological costs and benefits not be quantitatively incorporated in a consequence assessment unless a unique downstream situation demands inclusion. This should be done in case of protected habitat or wildlife under government regulation, national heritage sites, or hazardous installations whose flooding would lead to the spread of contaminants. Watersheds are hydrologically bounded ecosystems, and therefore a logical unit for environmental and ecosystem analysis. Yet, predictions of watershed response to catastrophic assaults, such as dam failure floods, are challenging and we have little experience by which to validate predictions. Trade offs among environmental, political, economic and social factors based on subjective value judgements are common in environmental analysis. It is often difficult to reconcile the desire to make scientifically supportable predictions with the complexity of how local watershed hydrology, hydraulics and ecology work. Assessment is one of the most critically important parts of watershed management because it attempts to transform scientific data into policy-relevant information that can support decision-making and action. Ecological risk assessment may be particularly useful in watersheds as a scientific method. Such risk assessment techniques, now being developed for other applications, could come to play a major role in dam safety risk assessments in coming years. 4.5.4. Socio-economic and other consequences of dam failure While public safety, economics and environmental impacts are the consequences of principal concern in dam failures, other and secondary consequences may inform decisions. Important among these are the effect of dam failure on the reputation of the owner and operator of the dam, political or regulatory repercussions of a failure, and the distribution of costs across affected parties or victims.
70
Critical infrastructure may exist downstream of a dam which, if destroyed or damaged sufficiently to impair service, could seriously affect public safety or economic well-being outside the zone of flooding. Such infrastructure includes transportation facilities and structures (highways, railroads, navigation works, and bridges), utility networks (power transmission and distribution, pipelines), telecommunications net-works and structure (relay towers), water supply and waste-water removal systems, and other lifelines upon which society depends. Damage to these infrastructure components can have regional or national economic impacts, for example, causing a redistribution of services through other regions that would not normally be included in a dam safety risk analysis. However, they may also have identifiable direct impacts, typically of an economic nature, and beyond the simple cost of reconstruction, that would be included in a risk analysis. For example, the disruption of electrical power to an identifiable factory or other installation might have to be made up for from alternative, higher priced, sources. BIBLIOGRAPHY Bureau of Reclamation. Dam Safety Office. (1998). Prediction of Embankment Dam Breach Parameters. DSO-98-004 Dam Safety Research Report Bureau of Reclamation. (2003). Dam Safety Risk Analysis Methodology. Technical Service Center. Denver, Colorado DeKay, M. L., McClelland, G. H. (1993). Predicting Loss of Life in Cases of Dam Failure and Flash Flood. Risk Analysis; Vol. 13, No. 2
Hartford, D., Baecher, G. (2004). Risk and uncertainty in dam safety. Thomas Telford. London.
Hoeg, K. (1998). New dam safety legislation and the use of risk analysis. Hydropower and Dams, Issue 5. ICOLD. (2006). Risk Assessment in Dam Safety Management. ICOLD Bulletin 130. Paris. Lafitte, R. (1993). Probabilistic risk analysis of large dams. Water Power and Dam Construction. 45. Pohl, R., Bornschein, A. (2007). Risk estimation for the hypothetical breach of dams. TU Dresden, Institut für Wasserbau und Technische Hydromechanik. Dresda.
Salmon, G., von Hehn, G. (1993). Consequence Based Dam Safety Criteria for Floods and Earthquakes. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
71
5. RISK MANAGEMENT
5.1. Introduction The major branches of dam safety risk management include risk analysis, risk evaluation, and risk treatment (reduction). Risk assessment combines the first two branches and risk management combines all three. From the management perspective, risk treatment options can be grouped into the following categories: • “Avoid the risk” - this is choice which can be made before a dam is built or perhaps through decommissioning an existing dam. • “Reduce (prevent) the probability of occurrence” – typically through structural measures and dam safety management activities such as monitoring and periodic inspections. • “Reduce (mitigate) the consequences” – for example by effective early warning systems or relocating exposed populations at risk. • “Transfer the risk” –by insurances arrangements. • “Retain (accept) the residual risk” - after risks have been reduced or transferred, residual risks are retained by the owner and may require risk financing.” While the first three options reduce the risk to which third parties are exposed, the fourth and fifth options only affect the risk that the owner is responsible for and not the risk to which third parties are exposed. Risk mitigation aims to reduce either likelihood of an occurrence or its consequences, or both. Risk mitigation is a logical step following risk estimation. If the calculated risk of the existing system is judged to be too high, alternatives are promoted to reduce the risk of failure. These alternatives are incorporated into the risk model and re-evaluation is conducted to estimate their impacts. After repeated study using different alternatives the decision makers are provided with suitable alternatives for improving overall dam safety and their estimated costs. A comprehensive dam risk management process is illustrated in figure 5.1. Risk management includes risk assessment processes (analysis and evaluation of the risk in dam system) and risk control or risk reduction. Decisions concerning the increased safety or/and reduce the consequences are based on detailed risk and safety assessment. Consistent with traditional dam safety decision-making, the dam risk management process requires four supporting processes: - analysis of existing information about the dam and eventually implementation of additional investigation programs.
72
Figure 5.1. Dam risk management process (after Hartford & Baecher) - establishment of criteria required to assess the normal and safe operation of the dam system. - assessment of safety and risk of the dam in order to promote the most appropriate behaviour diagnosis and the course of action. - risk control measures. Risk assessment is central to the dam risk management process. The results of the risk analysis and risk evaluation processes are integrated and recommendations are made with respect to the risk control process. An effective risk management program (figure 5.2) will use risk assessment processes in order to evaluate the need for a dam safety improvement if the dam safety criteria are not entirely met. On the basis of repeated risk assessment processes, using different alternatives, the type of improvement which is the most appropriate is
SAFETY ANALYSIS
YES
73
selected. Risk assessment also helps the improvement of the operation, maintenance and surveillance procedures.
Figure 5.2. Use of risk processes in a dam safety management If the level of risk is above the acceptable one, actions are required to increase the dam safety and to reduce the potential consequences in case of its failure. The increase of safety is the objective of the safety management and, as it was stated, comprises an aggregate of structural and non-structural measures. For the dams being in operation the basis of the safety management lies in monitoring of their behaviour and in periodical safety assessments. The latter ones must confirm that the dams are safe or, depending on the case, they should identify the safety deficiencies and start efficient measures to prevent the evolution towards failure. The reducing of consequences in the case of a dam failure is prevailingly referring to the removing or diminishing at maximum of human loss of life. Warning and evacuation of potentially affected population, according to a thoroughly established action schedule have beneficial effects in this respect. 5.2. Tolerability and acceptance of risk The most complex, controversial and sensitive issue that matters to society is the relation between classical engineering safety as guided by experience and codes on
Improve dam safety or
Reduce consequences
Periodic dam safety reviews and
Management system audit
Dam safety assessment Traditional good practice
Risk assessment
Conduct continual surveillance
Operate normally and
Maintain emergency preparedness
Every 5 to 10 years
Yes
No
Yes
No
Does the dam meet all safety requirements
Is the dam safe enough?
74
the one hand and the philosophies about acceptable risk levels, that have been evolving in some societies in recent years. The question of acceptable risk is sometimes explicitly but mostly implicitly at the basis of every engineering design decision. The popular request for absolute safety is unattainable, because it would require the spending of an unlimited amount of society’s resources. In most treatises of acceptable risk two positions are discerned. The point of view of the individual, who decides to undertake an activity weighing the risks against the direct and indirect personal benefits. And secondly the point of view of the society, considering if an activity is acceptable in terms of the risk-benefit trade off for the total population. The differing perceptions of risk between technical expert and public audiences can be striking. If the risk communication between dam professionals, owners, regulators, risk takers and the public is ineffective then the course of action proposed as a result of a risk assessment may not be accepted. Figure 5.3 shows the barriers preventing mutual understanding.
Figure 5.3. Differences between public and engineering perception of risk Calculation of the probability of failure and the consequences of failure lead inevitably to the question: "what is acceptable or what is tolerable?" The framework for risk evaluation may consider several aspects:
personal or individual acceptable or tolerable level of risk socially tolerable level of risk risk based on economic optimisation risk based on insurance type requirements.
The personally acceptable individual level of risk is defined as the acceptable probability of dying due to an accident caused by a third party. An acceptable hazardous activity should be limited to a reasonable increase to the individual's present risk.
75
The tolerable individual risk depends on the character of the new event. In the Netherlands a value of 10-4 per year has been taken as the background level of individual risk (politically agreed upon in parliament). The choice of an acceptable risk level may range, from 0.001 of the background risk to 10 or more time the background risk. A value of 0.01 is applied in the case of an imposed risk and 10 or more may be applied in the case of a voluntary risk like motor driving and mountaineering. In general a dam/reservoir system would have to meet a tolerable individual risk of 10-6 (0.01times the individual background risk), but the benefits of the dam/reservoir for the potential victims may in certain situations allow a policy factor larger than 0.01 for tolerable risk. The factor beta in figure 5.4 (the F/N representation of risk) ranges from 0,001 - 0,1. This policy factor represents the range in acceptance between different types of risk. The individual criterion doesn't account for the societal impact of a large number of casualties due to the failure of a dam. Reactions of society to large scale accidents are generally more intense than to small scale accidents. The socially tolerable level of risk is defined for the total number of fatalities due to a hazard. Again a policy factor is applied to set the risk that society will tolerate. Taking into account the number of independent similar activities a safety requirement or tolerable risk per activity can be derived. The economic optimisation strategy is a widely accepted procedure and will not be discussed further. However, care should be taken to avoid a situation where a dam owner is unable to pay for the damage due to the failure of one of his dams. In such a case the condition moves to insurance cover. This is more likely to control the tolerable level of financial risk than economic optimisation. The individual risk, tolerable societal risk, economical optimisation and financial capacity of the dam owner all have to be combined in assessing the, acceptable level of safety of a dam. But in order to be able to appraise projects, society must establish their standards. This is a matter of public debate. The choice is the level of risk versus the cost to reduce it to a lower level. Society pays that cost one way or the other! So: the downstream community (and their legal representatives) need to be formally consulted in regard to individual dam safety evaluations. Based on statistics of fatalities from human activities, the concept of socially acceptable risk (SAR) was developed. It addresses the society's need to quantify involuntary risk and it is a means to assign value to life without resorting to monetary units. SAR is generally depicted in so-called F/N diagrams (see figure 5.4), with F generally the cumulative failure probabilities of scenarios with loss of life and N the number of lives lost in these scenarios. Presently F/N charts are used in Australia, US, South Africa, the Netherlands, and, although not yet formally in force, in Canada. They suggest threshold lines separating acceptable from unacceptable societal risk, with some manoeuvring space often called "as low as reasonably possible" (ALARP). If a dam falls within the ALARP stretch, the situation triggers the question "is risk reduction economically grossly disproportionate or technically impractical?", yes or no. If yes, a position below the upper threshold line is acceptable if not, the objective is to reduce the risk
76
The ANCOLD chart contains the important note: "Where fatalities are expected, as part of a risk-based decision at a specific dam, consultation with the affected public is required as part of the final decision process".
Figure 5.4. Examples of F/N charts used in some countries Holland's SAR-charts introduces the factor beta (β), which stands for the degree of voluntarism. It can be chosen for a particular risk case (dam breach, operational deficiency etc.). The South Africans assess SAR for five categories: monetary losses, social and environmental losses, population at risk and annual risk of fatalities per exposed hour. In USA the Bureau of Reclamation and Washington and Montana states are users of the risk analysis techniques and have established F/N charts. Their charts are comparatively presented, in figure 5.5.
77
Figure 5.5. Comparison of Societal risk criteria in USA (after 130 ICOLD bulletin) Although F/N charts turn out to be a valuable tool for judging the effect of several options to mitigate loss of life, they have shortcomings in respecting the views of the affected public. Some dam engineers point to the subjectivity of SAR and suggests a potential risk for loss of life less than 10-6 per year and per person.
Figure 5.6. Risk for selected engineering projects (after G. Solomon)
78
It should be noted that the criterion of limiting the expected value of damages to $10,000 per year (see figure 5.6) is not an economic criteria; instead it is related to an insurance concept. B.C. Hydro considered that the annual probability of $100 million in damage should be no greater than 10-4 for any dam, which is the same as the probability of the death of an individual identified as being most at risk from the failure of the dam. Likewise, the loss of $10 billion was considered so serious that the probability should be negligible or 10-6/year. Both these conditions yield an expected value of damage of $10,000 per year. The standards of safety should be changed as societal values and expectations (culture) change, or if the society wants more safety at higher costs or less expenditure with correspondingly higher risks.
Tolerable risk criteria have not yet been established for environmental damage except as it can be expressed in monetary values; this is another challenge for the future. 5.3. Risk reduction As it was stated, the reducing of risk associated to a certain dam is made both by increasing of its safety and by reducing the potential consequences in case of its failure (figure 5.7).
Figure 5.7. Risk reduction branches (after R. Biedermann)
79
Dam safety includes structural safety - that may be achieved through appropriate design - and monitoring of the dam behaviour under operation. Both actions contribute to risk reduction acting on the first factor of the risk, namely the probability of failure. Risk reduction also includes the emergency preparedness that aims to mitigate the consequences if the dam failure happens. For the dams being in operation the basis of the safety management lies in monitoring of their behaviour and in periodical safety assessments. The latter ones must confirm that the dams are safe or, depending on the case, they should identify the safety deficiencies and start efficient measures to prevent the evolution towards failure. 5.3.1. Dam surveillance The goal of surveillance is to recognise as soon as possible a damage, a defect in structural safety or an external threat to safety such that the measures that are necessary to master the danger which occurred can be taken (figure 5.8).
Figure 5.8. Elements of surveillance and their objectives
80
Regular checks of the condition and of the behaviour of the dam as well as periodical safety evaluations are needed. The regular checks serve in particular in following the current behaviour, and the periodical safety evaluations in following the long-term behaviour as well as in verifying the structural safety. A complete assessment of the condition and of the behaviour may be achieve by visual checks, measurements on the instrumentation and operating tests of gates and valves as well as of emergency power unit. Visual checks are needed because changes in condition and certain behaviours cannot be assessed by measurements or only with much delay. For example, the appearance of a wet spot or of a spring downstream of the dam can be an indication that seepage in the foundation has changed. Figure 5.9 illustrates the behaviour incidents that may be detected by visual inspection of an earth dam. Increased importance has to be given to visual checks, because experience shows that around 70% of all emergency situations can first be identified visually.
Figure 5.9. Incidents that can be relived by visual inspection of an earth dam Functional checks in which the moving parts of the gates are tested are needed from time to time to verify their readiness. The wet operating tests at fairly full reservoir to
81
verify that the spillway and bottom outlet gates can also be opened under the most adverse operating conditions is also mandatory for gated spillways. The increased emphasis on the early detection of a threat does not require a very frequent surveillance or the collection of many data. Of the outmost importance is rather that the measured data which give representative information of the behaviour of the dam and of its foundation (so-called main indicators) be read at reasonable time intervals and be looked at in depth. The interval between two controls is adequate when it is less than the period during which significant changes in normal behaviour can occur. Those are time spans which lie between a week and a month, depending upon the measured data. Measured data are analysed with sufficient depth when this is done not only by the dam wardens, i.e. at the 1s' surveillance level (figure 5.10), but - within a week - also at the 2nd surveillance level, i.e. by the experienced civil engineer and this with the help of appropriate assessment tools like envelope curves or a numerical model to determine the expected deformation.
Figure 5.10. Organization of monitoring (after R. Biedermann)
82
Dam monitoring has to be organized on three levels (figure 5.11):
• level I is performed at dam site and consists in visual inspections, measurements and primary processing of the collected data as well as immediate analysis of the results; • level II is a periodical synthesis of observations and measurements as well as of the annual technical inspections and their interpretation from standpoint of dam safety; this synthesis is made by care of the owner and is performed by qualified dam engineers who draw up safety assessment reports; • level III is represented by the analysis and approval of the annual safety assessment reports made by a dam monitoring commission at the national level.
Figure 5.11. Organizational levels of the dam monitoring system
The dam monitoring efficiency in a safety management program is first of all given by the activity performed at the first level. The dam behaviour analysis made at this level must be safe, fast and easily applied by the personnel with an average education. Consequently, the solution usually adopted is the direct comparison of the measurement data with some critical values. Since the values of the monitored parameters are generally dependent on several external factors (reservoir level, temperatures etc.), the normal domain for a response parameter can be characterized only by values that depend on their turn on the external factors. That is the reason why the notion of critical value should be replaced by a warning criterion, which corresponds better to the complex nature of phenomena.
The main purpose of the regular monitoring and visual inspection is not so much to check individual measurements against limiting values, but rather to observe the trend with time so as to be able to detect, explain and remedy deviations from normal behaviour. Early diagnosis allows cost-effective prevention before damage is done, and the price for complacency may be high. Ideally, during the dam construction and first years of reservoir operation the designer should be involved in interpreting the readings, since he has an intimate knowledge of
83
the engineering assumptions used, and is therefore the best person to detect any abnormal performance and to estimate how serious it might be. Surveillance can still be improved and can go beyond the minimum that is required by automating data acquisition of the main indicators, by transferring in a remote fashion the corresponding data to a place that is more or less permanently staffed and by maybe comparing daily the data with computed values. 5.3.2. Dam monitoring instrumentation The monitoring of dams during their construction and operation, by appropriate instruments, is an essential component in safety enhancement. An efficient instrumentation system must be designed with the dam, at the same time and by the same team since it is an integral part of the design. It is vital for safety that instruments should monitor physical quantities that are significant in the failure scenario mechanisms. Instrumental data can only be properly interpreted and their impact on safety assessed by reference to a mathematical model. The short presentation that follows is based on the paper presented by Swiss Committee on Dams on the occasion of the 22nd ICOLD Congress. Instrumentation for external loads External loads (especially hydrostatic pressure) directly affect the dam behaviour. The outside conditions affecting the dam are mostly atmospheric conditions on site (rainfall and ambient temperature for example). Hydrostatic pressure being an important load, the changes in the reservoir water level must be read and recorded even if the reservoir stays empty most of the time as it is the case for detention ponds. The measuring range must extend beyond the normal operation level in order to follow extreme values of the water levels in case of flooding. Moreover, water temperature is also a data to record. In case of important sedimentation (changes in the loads, marked decrease of useful volume, risk of blocking outlet works), it is necessary to check their level regularly. Bathymetric readings could be performed in this case, as often as necessary according to the amount of sediments accumulating. The atmospheric conditions (temperature and air humidity, rain gauge, snow) are equally important data. The ambient temperature has an important incidence on the deformations of a concrete dam. The variations of temperature in the body of the dam can be followed by thermometers placed directly in the mass during the concreting. They are installed at several elevations and distributed across the thickness of the concrete section. The thermometers situated close to the surface are extremely influenced by the local external conditions (air and water). Thermometers can be inserted in drill holes whilst isolating them thus avoiding the influence of external temperature or the one in a gallery. In the case of failure, it shall thus be possible to remove and replace them. It is recommended to record if precipitations fall as rain or snow. Finally, it is necessary to note that precipitations and the melting of snow sometimes have a direct
84
influence on the infiltrations within the foundation, as well as on uplift pressures. In certain cases, the seismic conditions at a site may be recorded. Instrumentation of concrete dams A synthesis of concrete dam instrumentation is presented in figure 5.12. Some of the dedicated measurement devices are presented in the followings. Monitoring of dam body deformations. The objective is to know the horizontal and vertical displacements at a given point. According to the dam configuration (with or without galleries and/or shafts), measurement points are located at different elevations and inside the dam or fixed on the downstream face following horizontal and vertical lines. If possible, the measurement axes are extended into the rock to also ascertain the foundation deformations. The devised network thus allows horizontal and vertical deformations of the structure to be obtained. For small dams, it is at least necessary to foresee the measurement of crest deformations.
Figure 5.12. Instrumentation of concrete dams Horizontal deformations (radial and tangential deformations) can be determined along vertical lines by direct and/or inverted pendulum measurements. Angular and distance measurements (vector measurements) taken on external targets, just as alignment sightings, are simple geodesic methods used to measure deformations on small structures. Local deformations, for example those of the upper part of the dam, can be determined by the installation of extensometers. Measurements taken by inclinome-
GRAVITY DAM
LEGEND
ARCH DAM
85
ters (with possibility for automation) allow the actual deformation to be calculated or compared with the pendulum measurement. Monitoring of foundation deformations. Extensometers allow rock foundation measurements to be carried out according to the different directions. The choice and orientation of the instruments will depend on the geology and on the direction of the forces notably transmitted in the case of arch dams. To better ascertain foundation deformations, it is recommended to place extensometers in at least two directions or to create a tripod. Punctual horizontal measurements in two directions (for example upstream - downstream, left bank - right bank), can be carried out using an inverted pendulum. Abutment movements can be monitored by points installed in the immediate proximity of the dam and connected to the geodetic network. Geodetic deformation measurements. Inherently only relative deformations can be obtained and they must be completed by a local reference space (geodetic network) to which it is connected. Thanks to the geodetic network, it is possible to measure the displacement of benchmarks with respect to a network consisting of (assumed) fixed stations or reference points. This method presents the advantage of determining the absolute displacements. Knowledge of the absolute displacements is necessary to obtain indications on the long-term evolution of deformations and more particularly for the case of abnormal behaviour. However, measurement campaigns are dependent on the meteorological conditions. An extended network can be coupled to the local geodetic network whereby points could be measured by means of GPS (Global Positioning System). The GPS offers an appropriate method that can be integrated to the control network consisting of points which are geologically stable and situated outside of the influence zone of the reservoir basin. Seepage and uplift. Seepage within the foundation creates uplift pressures the evolution of which must be followed attentively since the influence on the stability is not negligible. Water infiltrations are directed to gallery channels and then towards discharge measurement stations. The discharge rate of seepage and drainage at the outlet can be measured by volume (with a recipient and stopwatch), by a calibrated weir, a venturi or by variation of water head in a tube. These readings, jointly with those of uplift pressures, give information relative to the state of the grout curtain and the efficiency of the drains. A reduction of the discharge can indicate a clogging from the reservoir or also the clogging of the drainage system. Uplift pressure, of which the values usually vary as a function of the reservoir water level, are measured at the concrete-rock interface and in certain cases, at different depths within the foundation. Uplift pressures vary from upstream to downstream and it is desirable to distribute several measurement points along the base of the concrete structure and if possible at the intersection of several sections.
86
The measurement of uplift pressures at the concrete-rock interface can be made using a tube equipped with a manometer. For measurements of pressure at greater depth in the foundation, cells or tubes with manometers can also be employed. Instrumentation of embankment dams A synthesis of embankment dam instrumentation is presented in figure 5.13. Some of the dedicated measurement devices are presented in the followings.
Figure 5.13. Instrumentation of embankment dams Monitoring of embankment deformations. For embankment dams, the objective is firstly to know the evolution of vertical deformations (settlements) and horizontal deformations at the crest, but then also if possible, settlements at various elevations, and in particular settlements in the foundation. In general, horizontal displacements of points are determined by geodesic measurements such as angular and distance
LEGEND:
LEGEND:
87
readings (vector measurements), alignment sightings and polygonal surveys. Concerning vertical displacements (settlements or heaving), we employ levelling as well as settlement meters or hydraulic settlement gauges. The same devices are amongst the available techniques that can be used to measure settlements in soft ground. Levelling is carried out in a gallery, provided it exists, in the transversal or longitudinal direction of the embankment dam. Seepage rates and drainage. For embankment dams, seepage develops because the materials of construction used are more or less permeable. Seepage through and under an embankment dam are at the origin of interstitial pressures which take on a primordial importance for the stability of the structure. Water infiltrations must therefore be closely monitored since each deviation from the normal state represents an evolution of interstitial pressures that could place into question the safety of the water retaining structure. The seepage rate varies according to the reservoir elevation and it can also be in-fluenced by atmospheric conditions and the melting of snow. The total water discharge rate gives an indication of the global behaviour of the infiltrations. The layout of measurement stations is delineated such as to measure partial discharges for predefined zones. This procedure allows, in the case of anomalies, to localise the critical zone and to facilitate the investigation of causes. Seepage water from embankment dams can be collected in drains situated downstream of the core or at the interface of an impermeable membrane and the body of the dam and directed to a discharge measurement station. If the dam body consists of materials that are easily soluble or erodible or it is based on such materials, it is also desirable to proceed with regular checks of the turbidity and periodic chemical analyses of water. Turbidity measurements allow an appreciation concerning the content of fine particles; as for the chemical analysis, this gives information relative to dissolved materials (for example, those coming from the grout curtain). Finally, the reading of the fluctuation in the level of the pyretic surface is sometimes suggested (for example downstream of the embankment dam). Level readings can be carried out using a calibrated probe which is lowered into an open drillhole or by the use of a pressure sensor with recording device. Interstitial pressures and piezometric level. In an embankment dam, it is important to check the evolution of interstitial pressures (in particular in the core and the foundation). The interstitial pressures must not exceed the values allowed for the project. This can be achieved by placing pneumatic, hydraulic or electrical pressure cells. The check will be improved with the increasing number of measurement profiles as well as the number of cells per profile. This way of operating guarantees a certain level of redundancy which is justified by the high level of failure of cells. The evolution of infiltrations, such as the equipotentials, at given points can be simply controlled by a tube in which we read the height of the piezometric head. When these tubes are installed in permeable soil, the measurements are reliable and durable. If on
88
the other hand, these tubes are found in impermeable terrain, a time delay which is relatively long is necessary before noting a change in the piezometric level; this is due to the displacement time of the volume of water in question. In such a case, closed piezometric cells are more appropriate. 5.3.2. Emergency concept Emergency strategy The emergency concept refers to all the preparatory measures that are needed to act as well as possible when a threat to dam failure is recognised. The emergency strategy defines three danger thresholds and specifies measures accordingly (figure 5.14):
Figure 5.14. Emergency strategy (after R. Biedermann) - Danger threshold 1: It prevails when the dam specialist indicates that the event can be mastered without any doubt. To counter the occurring threat, either the appropriate remedial works are to be performed or the water level is to be partially lowered (when a rock mass might slide or fall into the reservoir).
89
- Danger threshold 2: It prevails when the dam specialist cannot certify that the situation will be mastered. In such a higher state of danger, the water level must be preventively lowered and the preparedness of the alarm system ordered. The aim when enforcing the former measure is to try to reduce the risk early enough and when enforcing the latter to make sure that the population can be evacuated on very short notice in case the drawdown of the reservoir does not proceed fast enough. - Danger threshold 3: It prevails when, according to the dam specialist, rupture of the dam can probably not be avoided any more. In this extreme situation the alarm and consequently the evacuation of the population (in all the potentially submerged areas) is to be ordered. The objective is thus to evacuate people before the catastrophe occurs, so also giving the opportunity to people close to the dam to bring themselves to safety. To be able to act in the spirit of this strategy, the dam specialist must know what the causes of the threat are and how it develops with time. This requires an increased quantity of data as well as more frequent measurements, i.e. an increased monitoring. The reducing of consequences in the case of a dam failure is prevailingly referring to the removing or diminishing at maximum of human loss of life. Warning and evacuation of potentially affected population, according to a thoroughly established action schedule have beneficial effects in this respect.
Alarm system When reaching the danger threshold 3 (respectively in case of failure), the emergency strategy specifies that the evacuation of the people in the potentially submerged area must be ordered. This is done in most of the cases with sirens within the localities and with mobile alarming teams outside of the localities.
As a rule, the general alarm system (under control of central government) is used as alarming signal in the localities, and this in the whole submerged area (alarm system of type B according to figure 5.15).
If the small submerged area is scarcely populated the alarming sirens can be replaced by mobile alarming teams (alarm system of type A). On the other hand, whenever population at risk is located near the dam, where the flood wave arrives in short time, a second type of siren must be installed as a complement in the near zone: water alarm sirens that are activated from the dam (alarm system of type C). The near zone encompasses that area which, after a total failure of the dam, is submerged within two hours at most.
Changes in degree of alarm readiness and activation of the alarm are initiated usually from the dam owner as he is responsible for the safety of the dam and for the continuous assessment of the situation. The message flows from the owner to the relevant authorities which must act accordingly. The efficiency of an alarming-evacuation plan depends on the extent to which there are clearly delimited the responsibilities of the dam owner and authorities but also on the training of population to whom the plan is addressed.
90
Figure 5.15. Possible alarm systems (after R. Biedermann) 5.4. Risk treatment The safety of a dam and the level of acceptable risk must be ensured in all its stages of existence namely designing, performing, operation, abandoning. The measures and actions taken in order to fulfil this requirement are generically defined as risk treatment. Risk reduction effect In many practical cases the FN-curve is re-evaluated following the risk reduction measures, leading to a stepwise decreasing function as given in figure 5.16. In the figure the effect of two categories of measures to reduce the risk are indicated. If the safety of the dam is increased, the graph will be lowered. To narrow the FN/D-curve the maximal consequences of a breach must be reduced. This seems only possible by spatial planning measures like the restriction of new settlements to relatively higher grounds.
91
Figure 5.16. Risk reduction effects on F/N chart
Timing of major rehabilitation work The capacity of some dam components deteriorates with time - such as mechanical equipment, spillway capacity as compared with increased flood estimation etc. Consequently, a mechanism is needed to forecast failure-probability in order to permit defendable, proactive budgetary planning to be performed. As shown in Figure 5.17, the capacity-demand procedure can be used as a tool to achieve this objective.
Figure 5.17. Evaluation of intervention timing
92
The method can account for changing conditions on the capacity side, such as a progressive breakdown of riprap. On the demand side, factors such as increasing performance requirements or rising of maximum water levels can be included in the analysis. Once the relationship of failure-probability with time has been established, it is possible to make use of life cycle management models to assess the optimum timing for major capital expenditures. In this approach, a risk assessment is made which essentially involves evaluating the risks usually in terms of the economic consequences associated with a ‘do-nothing’ alternative. In the case of a relatively new dam, this do-nothing approach may represent the least-cost alternative. However, as the structure ages, the probability of failure and, therefore, risk increases such that, at the same point, least-cost strategy shifts to selective rehabilitation or replacement. To assess the optimum intervention timing, various intervention alternatives can be assessed to establish a least-cost option. For each alternative, risk exposure is computed by considering the change in failure-probability that results from implementing the intervention alternative. By assessing the direct costs associated with implementation of competing rehabilitation schemes, and the associated risk-costs, the economics of implementing structural improvements, with respect to the base case alternative, are evaluated. This permits the optimum timing for implementation of a particular rehabilitation alternative to be determined by calculating net present values at each year of implementation. BIBLIOGRAPHY
Almeida, B., Ramos, M.C., Franco, B., Lima, L., Santos, M., (1997) - Dam break flood risk and safety management at downstream valleys. Proc. of ICOLD Congress", Q 75, R 25, Florence.
Biedermann, R. (1997). Dam safety. Wasser Energie Luft-89, Heft 3/4, CH-5401, Baden. Hartford, D., Baecher, G. (2004). Risk and uncertainty in dam safety. Thomas Telford. London H o ek s t r a , A . ( 1997). Risk management. Private paper, January.
ICOLD. (2006). Risk Assessment in Dam Safety Management. ICOLD Bulletin 130. Kreuzer, H. (2000). The use of risk analysis to support dam safety decisions and management. General report Q76. Proc. of 20th ICOLD Congress. Beijing 2000. Lemperiere, E. (2002). Non-structural measures for cost-effective risk reduction. Hydropower and Dams, Issue four. M cD on a l d , L . ( 1994). ANCOLD risk assessment guidelines. Proceedings of Seminar on "Acceptable risks for extreme events in the planning and design of major infrastructure". Sydney.
93
Nielson, N., Vick, S., Hartford, D. (1994). Risk Analysis in British Columbia. International Water Power and Dam Construction, March. O o s th u izen , C . v an d e r S puy , D . , Ba r ke r , M. B . , van d e r S p uy , J . ( 1991). Risk-based dam safety analysis. Dam Engineering, Vol. II, issue 2.
Salmon, G., von Hehn, G. (1993). Consequence Based Dam Safety Criteria for Floods and Earthquakes. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
Salmon, G., M., Hartford, D., N. (1995). Lessons from the application of risk assessment to dam safety. ANCOLD Bulletin No 101. Swiss Committee on Dams (2006). Dam monitoring instrumentation. Concept, reliability and redundancy. Wasser Energie Luft-98, Heft 2, CH-5401, Baden. S t e ma t iu , D . , S â r gh iu ţ ă , R . , Bug na r i u , T . , Abd u la mi t , A . (1998). Significance of predicted displacement limits in arch dam safety evaluation. Proceedings of International Symposium on "New trends and guidelines on dam safety" (L. Berga Ed.). Barcelona.
Stematiu, D., Ionescu, St., Marinescu, P. (2001). Progress in Romanian legislation based on risk management. Proc. of ICOLD European Symposium on Dams in European Context, Geiranger, June, 2001.
94
6. DECISION STRATEGIES BASED ON RISK
EVALUATION
4.1. Design criteria based on probabilistic approach The concept The design implies choosing the optimum solution out of the multitude of possible alternatives based on certain decision rules. The main objective is to obtain a reasonable equilibrium between safety and cost. The common approach excludes the failure risk. The decision rule for choosing the optimum alternative is that of the minimum investment cost (I = min) and consequently only one parameter of the re-quired equilibrium is considered. In most cases, the probability of failure of each alternative is different and consequently the selection is based on the comparison of 'incomparable alternatives'. In order to overcome these inconsistencies a new design criterion is required. The risk (probability of failure and the cost of the damages associated to certain failure mechanism) has to be included as well as the investment cost. The decision rule best corresponding to the probabilistic approach is that of minimizing the generalized cost Cg:
min, =∗+= ∑ ii if CPICg (6.1) where
I is the investment cost, Pf,i - the failure probability corresponding to the failure mechanism i , Ci - the cost corresponding to the failure mechanism i, including the damage
cost and the dam reconstruction cost. When applying the criterion of the minimum generalized cost in the dam field one has to take into account that the damage cost induced by the dam failure (flooding of the downstream area) exceeds by far the dam investment cost. There also appear social consequences that are difficult to be quantitatively expressed. Because of the dif-ficulties associated with the estimating of the damage cost, the minimization of Cg has to be approached by using a specific procedure. The investment cost I and the failure probability Pf are evaluated for several design alternatives and then the relationship Pf = f(I) is defined. The cost of the damages produced in the downstream area is considered to have a constant value C which does not depend on I. The gene-ralized cost becomes:
Cg = I + C • f (I ) (6.2)
95
The Cg = min criterion
=∂∂ 0
ICg leads to a relationship between the investment cost
and the damage cost:
)(1
IfC I−= (6.3)
Assuming that the damage cost C can be expressed as a multiple of I (C = α I) the investment cost of the optimum design alternative can be obtained for an estimated value of α. Design of a rockfill dam cross section For a homogeneous rockfill dam the failure mechanism was considered to be the sliding of a downstream prism on a plane surfaces that passes through the downstream toe (see figure 3.10, a). The probability of failure is evaluated by using the procedure exposed in subchapter 3.4. Figure 6.1 shows the dependence between the investment cost I of the alternatives with Cg = min and the ratio α = C / I.
Figure 6.1. Design of the rockfill cross section on the basis of generalized cost The dotted line corresponds to I(α) estimated during the first design stage ( 06.0;81..0tan == σϕ ). The solid line corresponds to I(α) re-estimated during the dam construction, when the quarry showed a great heterogeneity ( 11.0;781.0tan == σϕ ). Ratio α for the selected dam exceeds the value of 20 and consequently the dam cross section depends but in a small measure on the damage cost accurate estimation. The optimum value of the investment cost in the final design (solid line) corresponds to an average slope of 1:1.73 for the downstream face. Selection of the dam type The need of new design criteria, based on risk evaluation, is more obvious when selecting the dam type for the same site. By using the conventional factor of safety for
mil
= C / I
mil
96
designing of each dam type, the comparison of the design alternatives on the basis of the minimum investment cost is misleading since the level of safety of the alternatives is not the same. In order to illustrate the non-consistency of the deterministic approach when applied to the dam type selection, safety analyses have been performed for a rockfill and for a gravity dam, selected as a possible damming alternatives for a certain site. Figure 6.2, left side shows the dependency of the probability of failure on dam volume for each dam type.
Figure 6.2. Selection of the dam type observing the same level of safety Under the probabilistic approach the failure scenarios were the sliding of the downstream prism along a plane which passes through the downstream toe for the rockfill dam and the sliding of the dam body along the foundation surface for the concrete gravity dam. For the evaluation of the probability of failure, a truncated normal distribution was assigned for the geotechnical data obtained from the site and quarry investigation, that is, the friction coefficient at the concrete/foundation interface (mean value f = 0.55 with a mean square deviation of σ = 0.03) and the internal angle of friction of the rockfill (mean value tan φ = 0.781 with a mean square deviation of σ = 0.06). A ratio of 3 between the unit costs of the concrete and the rockfill was assumed. The dependency of the probability of failure on the investment cost for both gravity dam (IG) and rockfill dam (IE) is shown in figure 6.2, right side. Based on these analyses one can notice that the comparison of the alternatives characterized by the same factor of safety FS = 1.3, promotes the rockfill dam as the best choice. (IG = 1.211 IE). The same comparison of dam types but designed to have the same probability of failure,
Investment cost per 1 m of dam
FS
97
as it is required by the equilibrium between cost and safety, indicates as the best alternative the gravity dam. (IG = 0.908 IE for Pf = 9.2 x l0-4 and IG = 0.975 IE for Pf = 0.96 x l0-4 respectively). Consequently, for a consistent approach several dam type layouts have first to be designed so as to ensure the same probability of failure and then be compared on the basis of the investment cost. 4.2. Consequence based dam safety criteria The concept According to most of the design codes, dams are designed and their safety evaluated based on fixed criteria for extreme events. For large dams rated as having significant consequences in case of failure Probable Maximum Flood (PMF) or floods with 1/10,000 probability of exceedance has to be safely routed through the reservoir and dam spillways. The same dams have to withstand safely the Maximum Credible Earthquake (MCE). The design codes also promote a stepped approach in their selection of criteria for extreme natural events based on a certain classifying system that includes dam and reservoir characteristics as well as the dam failure consequences. The severity of criteria concerning design floods and earthquake is relaxed in the case of dams situated in a lower category. For dams in the same category, fixed design and safety evaluation criteria are assigned for floods and earthquakes. The existing criteria system has several shortcomings. In dam classification the loss of life and economic loss are described only in qualitative terms. This can lead to inconsistencies in interpretation. The classifying system is not sensitive to gradations of downstream consequences and, as a result, it groups too many dams whose failure would have vastly different consequences in the same category. In order to be more sensitive to those gradations in downstream consequences, new guidelines are proposed by BC Hydro for the selection of criteria for earthquakes and floods. These guidelines are presented in the followings, based on the paper written by G. Solomon and G. von Hehn. The guidelines meet the following objectives:
• The criteria for dams whose failure would have catastrophic consequences in terms of loss of life and economic losses should be designed and evaluated for the most extreme conditions: the PMF and the MCE or their equivalent in terms of probability of exceedance;
• The criteria for dams whose failure result in no loss of life and in little economic loss should remain at a certain minimum (such as a 1:200 year flood or earthquake) or as warranted by economic analysis; and,
• The criteria for all other dams (this would cover the range from PMF/MCE to the 1:200 year event) should be in balance with their consequences of failure.
Proposed approach The proposed approach to the evaluation of dam safety requires determination of the combined probability of the occurrence of extreme loads and probability of dam failure under these loads. The combined probability of dam failure is referred to as the total probability of dam failure. To determine the level risk at any dam, the total probability of dam failure would be multiplied by the consequences. A uniform level of exposure would require that the permissible total probability of failure vary
98
inversely with the consequences of such failure. To use this approach, procedures for assessing consequences of dam failure in a consistent and rational manner are required along with those for assessing the probability of failure. Each dam would be designed or evaluated for safety using extreme loadings based on the incremental consequences of failure caused by floods or earthquakes. The consequence evaluation would be based on the potential losses which a failure would inflict upstream of, at, and downstream of the dam facility. The evaluation would consider both existing and foreseeable future downstream development and land uses during the expected life of the dam. It would include an assessment of potential loss of life, economic losses, environmental, social and cultural losses. A standard for selecting criteria with respect to loads from natural events based on a tolerable exposure level at any dam is one which does not impose an unacceptable risk of loss of life or financial loss. The tolerable exposure being considered by BC Hydro is:
• One fatality per 1000 years or more of dam operation but without imposing an intolerable risk to any individual.
• An expected annual damage loss of $10,000 or less from the total of direct damages, consequential damage, social disruption and environmental damage.
The tentative exposure levels of one fatality per 1000 years of operation and expected annual damage cost of $ 10,000 were selected on the basis of risks normally accepted by society. A more detailed discussion on the subject was presented in chapter 5 of the book. The level of exposure considered tolerable by other regulations could differ from the ones presented, in accordance with financial and societal requirements. Should the consequences of failure be such that in order to meet the acceptable exposure level as defined above, the annual total probability of failure must be 1:100,000 or less, the dam would be designed or evaluated based on the maximum loading criteria using the PMF and MCE. All water-containing structures must have adequate stability to withstand the design loads. For normal loadings the factors of safety are to be in the internationally accepted range. For loadings up to and including the extreme loadings as permitted by the tolerable exposure level, damage to the structures is acceptable as long as it does not result in uncontrolled release of the reservoir. Figure 6.3 illustrates the overall method to evaluate dam safety or to select extreme design loads based on the consequences of dam failure. The method starts with performing inundation studies to assess likely downstream flooding from a dam breach due to an earthquake or flood dam failure. In order to evaluate incremental consequences of dam failure, an estimate is also required for the flooding that would occur without dam breach. In the next step the consequences of dam failure are evaluate in terms of probable loss of life, economic costs of the other potential losses covering loss and/or damage to all property, facilities, utilities and dam, as well as loss of power generation in case of dams related to water power. Costs are assigned to social, cultural and environmental impacts, if possible and included.
99
Figure 6.3. Dam safety evaluation against exposure level
For evaluating the exposure to loss from an existing dam for floods, determine the probability of occurrence of ranges of floods extending from the smallest flood that might cause failure to the largest flood that could reasonably occur (PMF). For each flood magnitude range, determine the probability of dam breach. Multiply the probability of the flood event range by the conditional probability of dam failure given the flood within the range and sum over all flood ranges to determine the total probability of failure due to floods. Multiply the total probability of failure by the incremental consequences of failure due to floods to determine the level of exposure due to floods. This will yield expected fatalities per 1000 years and the annual risk cost for floods.
Prob.
Prob. Prob.
100
For evaluating the exposure to loss from an existing dam for earthquakes, determine the probability of ground motions over ranges of intensities from the smallest acceleration that might cause failure to the largest earthquake acceleration that could reasonably occur (MCE). Determine the probability of dam failure for each range of earthquake intensities. Multiply the probability of all earthquakes within the range and the corresponding probability of failure and sum for all earthquake ranges to find the total probability of failure due to earthquakes. Multiply the total probability of failure by the incremental consequences of dam failure to find the level of exposure due to earthquakes. This exposure level will be expressed in expected fatalities per 1000 years and annual risk cost related to earthquakes. Once the exposures levels due to floods and earthquakes are evaluated sum the levels to find the total level of exposure for the dam from these two natural events. Finally the total level of exposure due to floods and earthquakes is compared to the tolerable level of exposure to determine the adequacy of the level of safety of the dam in withstanding these natural hazards. The qualitative social, cultural and environmental consequences should also be considered in making this determination. Should an existing dam fail to meet the criteria for tolerable level of exposure, dam safety improvements should be carried out. The following case study clarifies the procedure to define such improvements. Case study Let us assume that for the analysed dam the extreme events are only floods. The original design flood for the spillway structure is 170 m3/s. The evaluated exposure level (see figure 6.4) overpasses the established acceptable level (20 lives would be lost due to floods induced failure in the next 1000 years, significantly more than tolerable one fatality per 1000 years or more of dam operation).
Figure 6.4. Probability of failure versus design flood
To
tal p
rob
ab
ilit
y o
f fa
ilu
re
170 360 m3/s
101
This estimate imposes the improvement of the dam to meet higher standards than currently exists. Additional discharge capacity is required. In order to observe the acceptable exposure level the total probability of failure due to floods has to be 1/ [1000/1 x 20] = 0.00005. A series of trial dam/spillway arrangements are developed. By using the above presented methodology, the total probability of failure is evaluated for each arrangement. Figure 6.4 shows the resulting curve of total probability of failure versus the actual capacity of discharge of each new design arrangements. To achieve a total probability of failure equal or less than 5 x 10-5 the spillway capacity has to accommodate a 360 m3/s inflow. 4.3. Dam monitoring improvement based on the net expected benefit One of the most efficient measures that reduce the probability of failure is the provision of an adequate monitoring system. The question is what a good monitoring system is and what the rational limits of a surveillance program are. If additional instrumentation is installed, the supplementary costs must be balanced by a corresponding improvement of the dam surveillance with direct effects in safety. Effectiveness of protective measures The effectiveness of a safety program can be quantitatively evaluated by the risk reduction that it provides. The rehabilitation of the dam, the added monitoring systems or the operation constrains has direct effects in reducing the probability of dam failure. If Pf is the probability of failure of an existing dam and P’f is the new probability of failure if added protection is provided one can define: Pf = P’f ( 1-r ) (6.4) where r is a measure of risk reduction effectiveness. The dam can fail following several failure mechanisms, which have different probabilities of failure. Safety improvements have also different effects on reducing failure probabilities corresponding to different failure scenarios. Consequently, if j denotes a certain mechanism (scenario) of failure, and the hazards are treated separately (mutually exclusive failures) the total probability of dam failure is:
Pf = Σ Pf, j (6.5) all scenarios
where Pf, j is the annual probability of failure corresponding to mechanism j. If a certain protective measure is provided, the probability of failure corresponding to each j mechanism will be differently reduced:
P’f, j = Pf, j ( 1-rj ) (6.6) where rj is the effectiveness in reducing the risk in mode j. The new overall probability of failure:
P’f = Pf (1-r) = Σ Pf, j ( 1-rj ) (6.7) all scenarios
102
renders evident an overall risk reduction effectiveness:
r = Σ ( Pf, j / Pf ) rj (6.8) all scenarios
where r is a weighted combination of rj values. The weighting factors are the fractional or relative probabilities Pf,j / Pf characterizing the likelihood of occurrence of a certain failure scenario. The annual failure probability (rate) can be evaluated by using either a full probabilistic approach or, more often, a statistical approach. Decision strategy Assuming that dam failure warning and evacuation planning are very efficient, the loss of life can be reduced to practically irreducible level and the consequences are only the economic ones and can be assessed. The annual risk can be defined multiplying the failure probability per year with the monetary value of the consequences. The expected monetary loss can be reduced if the probability of failure is reduced by added protection. Several strategies can be conceived and for each of them the risk reduction effectiveness and the added cost can be evaluated. The final selection of the “best” strategy is based on the trade-off between cost and risk. The framework of the process is presented in figure 6.5.
Figure 6.5. Decision making process
In the case of dam safety monitoring the benefits can be quantified and used as the objective function. If C denotes the monetary loss in the case of dam failure, the average annual economic loss is expressed as Pf C, where Pf is the annual failure probability. A certain strategy of dam monitoring improvement will lead to a risk reduction effectiveness rs and to an average annual economic benefit:
103
b = Pf C - P’f C = Pf C rs (6.9) Each strategy implies supplementary annual costs ∆Cs and a net expected benefit can be defined:
bn = b - ∆Cs = Pf C rs - ∆Cs (6.10) The best monitoring improvement strategy is the one which creates the maximum expected net benefit (see figure 6.6). For an owner having in operation several dams, the decision concerning the best strategy in dam monitoring improvements is based on maximizing the total expected annual benefits with a limited annual budget.
A case study: Srejesti dam Strejesti dam (figure 6.7) provides storage of 250 million m3 of water for Strejesti hydropower plant with an installed power of 50 MW and a total annual energy output of 173 GWh/year. The Strejesti power plant is the last major plant of the Middle Olt section development, which covers a length of 120 km with a head of 202 m. The main earth dam and the concrete spillway have a thorough monitoring system corresponding to the common practice in the field. It measures the water pressure and the uplift, joint openings, settlements and horizontal movements, seepage and deformations. The recorded parameter values and the regular visual inspections allow for good dam surveillance and for an accurate safety assessment of the dam.
Cost of added protection ∆Cs
Best strategy
rs1 rs2 rs3 rs = 1
∆Cs2
Net benefit bn
Expected monetary loss Pf C (1-rS)
b= PfC rS2
Pf C
Existent dam
Figure 6.6. Benefits versus effectiveness of risk reduction
Best strategy
104
The lateral right bank dam is provided with a less elaborate monitoring system. The seepage is collected in a seepage channel along the downstream toe of the dam and measured in several calibrated sections. The settlements are measured by means of annual survey using benchmarks located on the dam crest and on the downstream berm. The seepage field in the dam body is recorded by 23 piezometer drillings located in 9 monitoring profiles. Two hydro geological drillings are used for underground water table measurement. The lateral dam surveillance is also done by visual inspections conducted by dam operators.
Figure 6.7. Strejesti dam monitoring system
SPILLWAY AND MAIN DAM
105
During the reservoir operation several incidents have been recorded. Concentrated seepage and sinkholes have been discovered downstream of the main earth dam and remedial works were performed. Several landslides along the left bank of the reservoir have been activated and the remedial actions were backfills and supplementary excavations. Along the downstream face of the lateral dam several wet spots have been noticed, in connection with the detachment of the bituminous sealing of the upstream concrete face joints. The upper location of the seepage line has also revealed some deficiencies of the drainage properties of the embankment. The major incidents were recorded during two strong earthquakes. Evident signs of liquefaction (sand craters) appeared in several zones downstream the lateral dam (see shadow zones corresponding to piezometer profiles P7, P8 & P11 in figure 6.7) in connection with the lens of saturated sand in the foundation. Taking into account the incidents produced in the past, the difficult foundation conditions and the insufficient drainage properties of the dam body, the actual monitoring system of the lateral dam was considered unsatisfactory. To aid the selection of the most appropriate supplementary monitoring actions it was decided to undertake a risk analysis of the lateral dam. The analysis was focused on the assessment of the global probability of failure, on identification of the potential failure mechanisms and on the evaluation of the downstream economic loss induced by a dam breach. The results of the risk analysis are briefly presented in the followings. The global probability of failure was selected based on statistical data. Assuming similar conditions with the embankment dams with heights in the range of 15 m to 50 m, a global probability of failure Pf = 8.4 x 10-5 was assigned to the lateral dam. The failure mechanisms and the associated partial probabilities of failure were identified based on engineering judgment. Four major failure scenarios were selected for the decision policy, all the other being included in the “unknown” mechanisms: - dam overtopping due to: (1)faulty performance of the gates; (2)extensive settlements and loss of freeboard; (3)sedimentation of the upstream entrance in the reservoir leading to rise of the backwater levels. The fractional probability of the dam overtopping mechanism is 22 %; - piping induced by concentrated leakage through unsealed contraction joints of the concrete face or by extensive seepage in the contact zone of the dam foundation interface, through saturated sandy lens. The fractional probability of the piping failure mechanism is 37 %; - earthquake induced extensive movements of the dam body, due to liquefaction or near liquefaction condition within the saturated sandy layers in the upper zone of the foundation. The fractional probability of the earthquake effects in foundation is 19 %; - slope sliding triggered by saturated condition of the downstream shell as a consequence of intense leakage through the upstream concrete face and lack of drainage in the downstream zone. The fractional probability of the slope sliding mechanism is 12 %. All the other mechanisms or unknown scenarios have been considered with a fractional probability of 10 %.
106
Consequences of the dam failure are: loss of life, economic loss, environmental and social effects. Only the economic loss can be clearly defined in monetary terms. In order to assess the loss of life and economic consequences a dambreak simulation was undertaken. According to the procedure defined for the decision analysis only the economic loss is considered. With unit costs for replacement of roads, railways, bridges, various services, schools, industrial works and houses and adding the investment cost of the dam the total estimated cost of damages was between 3150 million US$ and 3305 million US$. The annual monetary loss (economic damages) has been evaluated as the product of failure probability and estimated cost of damages: Pf . C = 277 200 US$/year. The improvement of the existing monitoring system of the lateral dam can be achieved by adding one or several monitoring actions. For Strejesti lateral dam four alternatives were identified: - improved visual inspections, conducted by a team of experts with monthly frequency. The corresponding annual cost was estimated at 30 200 US$/year; -supplementary piezometer drillings located in new piezometric profiles. Depending on the new average interval between the monitoring profiles the corresponding annual costs were estimated at 36,000 US$/year for 800 m interval, at 126,000 US$/year for 400 m interval and at 306,000 US$/year for 200 m interval; - systematic georadar and thermographic measurements along the dam crest, downstream slope and the toe berm. The corresponding annual cost was estimated at 41,000 US$/year; - supplementary geophysical measurements, as electric field, electromagnetic field, resistivity, etc. to identify permeability, water content and seepage lines. The corresponding annual cost was estimated at 94,500 US$/ year. Risk reduction effectiveness for the alternative monitoring actions has been evaluated by a panel of experts on the basis of their personal experience and on the dam safety report data. The risk reduction coefficients for each failure mechanism and for each alternative action are summarized in table 6.1.
Table 6.1. Risk reduction effectiveness for alternative monitoring actions.
Failure mechanism
(j)
j=1 Dam
overtopping
j=2 Piping
j=3 Earthquake effects in
foundation
j=4 Slope sliding
j=5 Unknown
Relative probability of failure Pf,j / Pf
0.22 0.37 0.19 0.12 0.10
Risk reduction effectiveness
r1 r2 r3 r4 r5
a) Improved visual inspections
0.50 0.40 0.25 0.80 -
b)Supplementary piezometric profiles b1) at 800 m
-
0.10
0.10
0.40
-
b2) at 400 m - 0.20 0.20 0.75 - b3) at 200 m - 0.30 0.30 0.90 - c) Georadar and thermograph
- 0.20 0.15 0.60 0.30
d) Other geophysical procedures
- 0.20 - 0.15 -
107
The alternative monitoring actions can be combined in order to define different monitoring improvements strategies. The risk reduction effectiveness and the corresponding costs for monitoring improvement strategies are presented in table 6.2. According to the relationship (6.8) and (6.9) the global risk reduction effectiveness and the net benefit for each strategy are evaluated in table 6.2. The results of the decision analysis are plotted in figure 6.8.
Table 6.2. Risk reduction effectiveness and corresponding costs for monitoring
improvement strategies Failure
mechanism (j)
j=1 Dam
overtopping
j=2 Piping
j=3 Earthquake effects in
foundation
j=4 Slope sliding
j=5 Unknown
Relative probability of
failure (Pf ,j/Pf)
0.22 0.37 0.19 0.12 0.10 Global risk reduction
effectiveness
Annual costs
Net benefit
Risk reduction effectiveness
(rj)
r1 r2 r3 r4 r5 (Pf, j / Pf) rj1
5
∑
∆C (US$)
bn (US$)
Existing monitory system
0.4 0.393 0.105 0.323 0.293 0.321 - -
S=1 – a 0.5 0.4 0.25 0.80 - 0.430 30.200 80,957 S=2 – a+b1 0.5 0.5 0.35 0.95 - 0.470 66,200 64,084 S=3 – a+b2 0.5 0.6 0.45 0.95 - 0.530 156,200 -9,284 S=4 – a+b3 0.5 0.7 0.55 0.95 - 0.660 336,200 -152,139 S=5 – a+c 0.5 0.6 0.40 0.95 0.30 0.552 71,200 81,814 S=6 – a+b1+c 0.5 0.7 0.50 0.95 0.30 0.608 107,200 61,337 S=7 – a+b2+c 0.5 0.8 0.60 0.95 0.30 0.664 197,200 -13,139 S=8 – a+b3+c 0.5 0.9 0.70 0.95 0.30 0.720 377,200 -177,616 S=9 – a+c+d 0.5 0.8 0.40 0.95 0.30 0.626 165,700 7,827
Figure 6.8. Costs and benefits corresponding to alternative strategies
108
The effectiveness range is rs = 0.4 ... 0.8 and the costs of added monitoring strategies S = 1 to 9 (table 6.2) are rapidly increasing for higher values of rs. The net annual benefit has a maximum value for strategy S = 5 (i.e. improved visual inspections combined with systematic georadar and thermographic measurements). BIBLIOGRAPHY Kreuzer, H. (2000). The use of risk analysis to support dam safety decisions and management. General report Q76. Proc. of 20th ICOLD Congress. Beijing 2000. Priscu, R., Stematiu, D. (1984). Some design criteria for large dams on the basis of probabilistic concept of Safety. Proc. of Int. Conf. on Safety of Dams, Coimbra, April, 1984.
Salmon, G., von Hehn, G. (1993). Consequence Based Dam Safety Criteria for Floods and Earthquakes. Proceedings of the International Workshop on Dam Safety Evaluation, Grindelwald, April.
Stematiu, D., Abdulamit, C. (1998). Decision analysis in dam safety monitoring. Proc. of Int. Symposium on "Rehabilitation of dams", pg. 324...329, November 1998, INCOLD, New Delhi. Stematiu, D., Ionescu, St. (1999). Safety and risk in hydraulic structures (in Romanian). Editura Didactica si Pedagogica, Bucharest.
